[dns-operations] About open DNS resolvers

Vernon Schryver vjs at rhyolite.com
Thu Aug 23 00:24:36 UTC 2012


> In message <20120822101333.7dafb564 at localhost>, John Kristoff writes:

> > You can, but target_ip may just forward to another resolver, which
> > ultimately fetches the answer on it's behalf.  So target_ip itself may
> > not strictly be considered an open resolver, but an "open forwarder".

> > confuse any answer with a valid answer.  For instance, the resolver may
> > be giving you a response based on a locally configured wild card record.

> From: Mark Andrews <marka at isc.org>
>
> It is an open resolver.  It doesn't matter if it does the lookup
> directly or indirectly.  It is honoring the "rd" bit and supplying
> recursive service.

There's more than one valid definition of "open resolver."

A DNS server that honors the RD bit from strangers only some of the
time, that "improves" some response with locally configured records,
is "helpful" about NXDOMAIN responses, keeps answering long after the
TTL on the authoritative rrset allow, or is otherwise "translucent"
might not be "open" to someone interested in legitimate DNS services
and DNS truth.  It might not compete with the resolvers on 8.8.8.8.

On the other hand, such a resolver is likely to be "open" enough for
someone looking for help for DoS reflection attack or a network
operator wanting to avoid providing reflection attack services.

It is conceivable that the resolvers on 8.8.8.8 rate limit so
aggressively that they don't qualify as "open" for reflection attacks
today.  I doubt that any DNS resolver can be open by the benign
definition in the long run without being open by the evil definition
if only because of DNSSEC and the peak requests/second from a DNSSEC-aware
browser (without local cache and all that implies).
`dig +dnssec asfd789.com @8.8.8.8` amplifies by about 25X.  That is
why when talking to someone looking for or trying to run a benign open
resolver, you need to advert to both definitions.  Someone trying close
open resolvers may need both definitions to justify time spent to
pointy haired bosses who use Google Public DNS and OpenDNS on their
home computers.

It wasn't clear to me whether the original author was looking for
benign competitors to Google and OpenDS or checking his own network
for evil open resolvers.


Vernon Schryver    vjs at rhyolite.com



More information about the dns-operations mailing list