[161761] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (joel jaeggli)
Tue Mar 26 13:34:05 2013
Date: Tue, 26 Mar 2013 10:33:43 -0700
From: joel jaeggli <joelja@bogus.com>
To: Owen DeLong <owen@delong.com>, Doug Barton <dougb@dougbarton.us>
In-Reply-To: <239F547E-5353-43EF-9EA7-6E91C44C9C66@delong.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 3/26/13 10:10 AM, Owen DeLong wrote:
> On Mar 26, 2013, at 9:39 AM, Doug Barton <dougb@dougbarton.us> wrote:
>
>> On 03/26/2013 09:28 AM, Owen DeLong wrote:
>>> On Mar 26, 2013, at 5:59 AM, Chris Adams <cmadams@hiwaay.net> wrote:
>>>
>>>> Once upon a time, Valdis.Kletnieks@vt.edu <Valdis.Kletnieks@vt.edu> said:
>>>>> Now explain how you find a recursive nameserver that isn't listed in an NS
>>>>> entry and *hasn't* been publicized someplace that Google can find it.
>>>> The same way you find open mail relays, SSH hosts with weak
>>>> user/password combos, bad WordPress installs, etc. - scan for them. If
>>>> it is open to the Internet, it will be found (or probably already has
>>>> been).
>>>>
>>> Let me rephrase the question… How do you find an open IPv6 recursive name server
>>> that isn't listed in an NS entry and hasn't been publicized someplace that Google can
>>> find it?
>> That question was already answered ... ask the bots what their resolving name servers are, then check to see if they are open. As IPv6 deployment increases, the answers will increasingly include IPv6 open resolvers.
>>
>> Doug
>>
> Let me again rephrase…
>
> As a white-hat attempting to find problems to address through legitimate means, how
> do you …
passive DNS collection , e.g. many people lave large lists of resolvers
that have connected to their authoritative nameservers.
>
> Owen
>
>
>
