[161733] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Mar 26 10:54:31 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <Pine.LNX.4.61.1303260937380.26706@soloth.lewis.org>
Date: Tue, 26 Mar 2013 10:49:42 -0400
To: Jon Lewis <jlewis@lewis.org>
Cc: North American Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 26, 2013, at 10:15 AM, Jon Lewis <jlewis@lewis.org> wrote:
>> On 25/03/2013 14:33, Mikael Abrahamsson wrote:
>>> I would like to be able to request an IP list of open resolvers in =
my ASN,
>>> perhaps sent to the contact details in RIPE whois database to make =
sure I'm
>>> not falsely representing that ASN.
>=20
> Or you could just get an off-site system (cloud VM), get the software =
from http://monkey.org/~provos/dnsscan/, and find all your own open =
recursive DNS servers.
>=20
> There are different levels of openness for recursive DNS servers =
though. It looks like Jared's project lists any DNS server that responds =
with anything other than refused as open. A DNS server could have open =
recursion "disabled", but still respond with referrals to the =
root-servers. Older versions of bind seem to do this when configured =
with allow-recursion for a limited range of IPs. While not really =
"open" such servers are still useful for DNS amplification. The example =
config at
>=20
> http://www.team-cymru.org/Services/Resolvers/instructions.html
>=20
> for a bind 9.x caching server can be adapted for older bind versions =
doing caching+authoratative such that it'll provide recursion to those =
who should have it, and authority for zones for which it needs to do so.
I was throwing up the 'quick & dirty' data that I had for everyone to =
get access to quickly.
There are a large number of attacks using these servers in the past =
week. I hope everyone takes a minute and gets with their =
unix/systems/DNS team and determines what they can do to minimize this.
One other important item:
Stop your customers from being able to spoof! If you punch in 8.8.8.8 =
(for example) into the system, you will see a number of devices where if =
a packet is directed at it that respond with 8.8.8.8, either by =
spoofing, or by forwarding that request to google and spoofing the =
origin IP.
Same for the 73.73.73.73 IP as well. Those CPE devices should be locked =
down.
- Jared=
