Open Resolver List, New Orleans, etc..

I am putting the finishing touches on a presentation I will be making later this week at the DNS-OARC meeting, but I also wanted to ask anyone here if they had data/ideas of items they are interested in seeing from the Open Resolver Project.

We perform a weekly scan of the IPv4 space looking for DNS servers that can be used in an amplification attack.

Some interesting data: about 46% of the IPs that respond to a DNS query do not respond from port 53, meaning they are "broken" in some interesting way.

I encourage folks to check your IP space here:

You can also e-mail the project to get direct access to per-ASN reports. That email needs to come from a contact in the RIR object, or from a corporate address that can be easily identified as related to your org.

If you are an ISAC or similar, we can also assist you.


- jared

Maybe I'm not being very imaginative, but how can something from !53 be considered a DNS response to a query sent to port 53? Can you give some examples of the sorts of packets that fall into this rather large % of ill-behaved hosts? Are you sure you're not treating things like icmp port unreachable as a "!udp/53 src response"?

On a totally unrelated note... the document at that URL looks
visually almost exactly like the CentOS stock apache 2 test page.

It's, so similar in appearance, that when opening it, at first, I
thought it a broken link instead of an actual website....


Here's a sample excerpt:


I have the raw packet data for these. They were on a UDP socket, not some tcpdump output parsing snafuā€¦ :slight_smile:

I have many more of these in the dataset. I'm thinking about flagging those that aren't from udp/53 and giving a pointer to things like CPE device firmware that causes problem. I've got a lot of private data on that which I can't share, either because the vendor is delivering fixed firmware or something else.

- Jared

I think it looks very minimal for a webpage :slight_smile: If you want to sign-up with your HTML skills, let me know off list.

I want to make getting the data simple. I'm also thinking of making an alert pop up if the exact IP you visit from is in the databaseā€¦

A few weeks ago I fingerprinted all the DNS servers.

All DNS servers in the database:

All Open Resolvers in the database:

- Jared