[dns-operations] open resolver versio.bind responses

Graham Beneke graham at apolix.co.za
Thu Apr 18 06:08:10 UTC 2013


Hi All

On 16/04/2013 14:21, Jared Mauch wrote:
> I took the latest 'Open Resolver' list and queried the hosts another time with a version.bind query.
> 
> You can view the results here:
> 
> http://openresolverproject.org/version.bind.report.txt

The number of times that DNSmasq is listed near the top is consistent
with some of the recent DoS incidents that I've seen on my network. It
seems that a number of CPE vendors have DNSmasq running without any kind
ACL.

What happened during the incidents I found quite interesting though:

The CPEs were obviously identified as open resolvers and spoofed packets
sent towards them. DNSmasq is however a pure forwarder and doesn't cache
so instead of sourcing lots of traffic for the attacker the CPE ends up
DoSing itself. DNSmasq hits an upstream resolver with every query it
receives and then saturates the downstream link with the garbage
responses. A combination of this and the fact many end user connections
are async means that the end user experiences huge congestion while not
contributing significantly to the attack traffic.

Thus - not much use to an attacker but much higher collateral damage.

-- 
Graham Beneke



More information about the dns-operations mailing list