[nsp-sec] Open DNS resolvers

Thu Oct 1 10:52:44 EDT 2009

Ok, so back at my computer now... looks like what Team Cymru has is the "Million Resolvers Project" which is basically a list of known open resolvers.  You could probably take a look at that list to see if certain hosts are listed.

Alternatively, you could run the following commands which should give you an indication as to whether or not a certain nameserver allows for recursion:

/usr/bin/dig +recurs @yournameserver_ip www.facebook.com

The above command would indicate whether the nameserver specified allows for recursive queries for www.facebook.com (assuming that nameserver is not authoritative for facebook.com domain).

Another thing you might want to look for is whether the name server allows for root referrals:

/usr/bin/dig . NS @yournameserver_ip

Generally, most Internet-facing authoritative DNS servers should not respond to recursive 3rd party queries for root.

Also, you can look for an "RA" entry in the "Flags" section of the response which should give you some indication as to whether the resolver allows for recursion...

HTHs.

Stefan Fouant 
Neustar, Inc. / Principal Engineer
46000 Center Oak Plaza Sterling, VA 20166
Office: +1.571.434.5656 ▫ Mobile: +1.202.210.2075 ▫ GPG ID: 0xB5E3803D ▫ stefan.fouant at neustar.biz

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Fouant, Stefan
> Sent: Thursday, October 01, 2009 9:35 AM
> To: hank at efes.iucc.ac.il; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Open DNS resolvers
> 
> ----------- nsp-security Confidential --------
> 
> I'm not at my computer right now, but if I recall Team Cymru had some
> widget which could test for Open Resolvers. I haven't had my coffee
> this AM yet, so I could be way off base though...
> 
> Stefan Fouant
> Neustar, Inc. / Principal Engineer
> 46000 Center Oak Plaza Sterling, VA 20166
> Office: +1.571.434.5656 ▫ Mobile: +1.202.210.2075 ▫ GPG ID: 0xB5E3803D
> ▫ stefan.fouant at neustar.biz
> 
> ----- Original Message -----
> From: nsp-security-bounces at puck.nether.net <nsp-security-
> bounces at puck.nether.net>
> To: nsp-security at puck.nether.net <nsp-security at puck.nether.net>
> Sent: Thu Oct 01 06:33:08 2009
> Subject: [nsp-sec] Open DNS resolvers
> 
> ----------- nsp-security Confidential --------
> 
> Can someone point me at a web page that can test a few specific IPs
> whether
> they are open.  Not:
> http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl
> which only checks what is in their cache from the last time they did
> their
> check - but I am looking for a check now.
> 
> Thanks,
> Hank
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________