[dns-operations] open resolver versio.bind responses
jared at puck.nether.net
Tue Apr 16 16:58:24 UTC 2013
On Apr 16, 2013, at 11:58 AM, Vernon Schryver <vjs at rhyolite.com> wrote:
>> From: Jared Mauch <jared at puck.nether.net>
>> Check out the breakdown.html page ...
> 2013-04-14 results
> 34030764 servers responded to our udp/53 probe
> 914175 servers responded from a different IP than probed
> 27773382 gave the 'correct' answer to my A? for the DNS name queried.
> 13721271 responded from a source port other than udp/53
> 29571967 responses had recursion-available bit set.
> 2827206 returned REFUSED
> What was heard from the 3.4 million servers that responded with neither
> the A RR nor REFUSED? The 2.8 million that REFUSED are significantly
> fewer than those mysterious 3.4 million, not to mention the 27 million
> functional open resolvers or the 29.5 million ostensibly open resolvers.
I can point you at that file if you'd like :)
> In other words https://www.google.com/search?q=sisyphus seems
> relevant. I don't mean to suggest that the effort is not worthwhile.
> The work is valuable, but realism forces us to acknowledge some
> implications. One is that there is no hope in "outreach."
There is plenty of hope. I've seen the following actions taken:
a) Hosting providers emailed customer base, said close your open resolver or we shut your host
b) ISPs have implemented spoofing filters. NTT is one of them that has cranked the filters up as a result (at least on static routed customers).
c) National CERTs have contacted the project and obtained lists of hosts/machines in their control.
d) LARGE ISPs have contacted for lists of resolvers, including at least one major provider in the US.
e) At least one ISP today emailed me about their former customers freaking out when they were notified of upcoming DNS server changes which might impact them (people restricting or closing open resolvers).
I certainly understand the concerns here regarding mitigation and outreach, but things are happening.
My changes in measurement technique aren't helping accurately measure this, but there should be some good data in the next few weeks as I've made the last tweak. The good news is the # of folks returning REFUSED keeps going up.
More information about the dns-operations