[dns-operations] Seeking contact for https://www.publicdns.xyz/

Jeroen Massar jeroen at massar.ch
Wed Mar 27 11:53:18 UTC 2019


On 2019-03-27 12:18, Merike Kaeo wrote:
> 
>> On Mar 27, 2019, at 3:55 AM, Matthew Pounsett <matt at conundrum.com <mailto:matt at conundrum.com>> wrote:
>>
>> On Tue, 26 Mar 2019 at 17:35, Edward Lewis <edward.lewis at icann.org <mailto:edward.lewis at icann.org>> wrote:
>>
>>     If anyone has a contact for whomever is running this page:
>>
>>     https://www.publicdns.xyz/
>>
>>     Please contact me off-list...
>>
>>
>> That site seems to not only list managed public services resolvers (e.g. GooglePDNS, Cloudflare, OpenDNS) but also unmanaged open resolvers.  This seems like a very bad thing. 
> 
> Yeah, just took a look and had a few thoughts:
> 
> - how this could be exploited by folks with questionable intent - especially the unmanaged open resolvers

Spoof some packets from your target and ask lots of nice DNSSEC questions. "ANY access-board.gov" seems to be a very popular query.

> - how this could be used for research or outreach

Get the list, loop through them and compare answers between them.

Will nicely show GeoDNS for various domains. Though you need to know the labels you are interested in.

> - how is this list compiled

for i in <the internet ips>
do
  dig @<ip> && "open resolver"
done

Though more likely a zmap-style scan for open port 53 (can just test TCP, UDP is also an option but would require valid DNS packets in most cases; though ICMP unreach is telling too). Many options here.

Shodan is likely telling the same thing, and there are lots of other "research" projects that have an index of open recursives:

 http://openresolverproject.org/

is a prominent one. Guess they need to kick ASNs again to clean up their networks.

Greets,
 Jeroen
 (who just asked our awesome CS department to contact our singly affected customer to resolve that issue ;) )



More information about the dns-operations mailing list