[161703] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Mar 25 16:46:13 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <7956431.10912.1364234677312.JavaMail.root@benjamin.baylink.com>
Date: Mon, 25 Mar 2013 16:45:59 -0400
To: Jay Ashworth <jra@baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 25, 2013, at 2:04 PM, Jay Ashworth <jra@baylink.com> wrote:
> ----- Original Message -----
>> From: "Jared Mauch" <jared@puck.nether.net>
>=20
>> Open resolvers pose a security threat.
>=20
> Could you clarify, here, Jared?
>=20
> Do "open DNS customer-resolver/recursive servers" *per se* cause a =
problem?
>=20
> Or is it merely "customer zone servers which are misconfigured to =
recurse",
> as has always been problematic?
>=20
> That is: is this just a reminder we never closed the old hole, or=20
> notification of some new and much nastier hole?
There have been some moderate size attacks recently that I won't go into =
detail here about. The IPs that are on the website are certainly being =
used/abused. A recent attack saw a 90% match rate against the "master =
list" here. This means your open resolver is likely being used.
Anything to raise the bar here will minimize the impact to those =
networks under attack. Turn on RPF facing your colocation and =
high-speed server lans. We all know hosts become compromised. Help =
minimize the impact of these attacks by=20
a) doing BCP-38
b) locking down your recursive servers to networks you control
c) locking down your authority servers to not provide the same answer =
15x in a second to the same querying IP. If it's asking that same =
question 15x, then it's not you that's broken, it's that client. (Or =
it's being abused).
- Jared=
