[nsp-sec] Open DNS resolvers

Stephen Gill gillsr at cymru.com
Fri Oct 2 12:37:06 EDT 2009 

> Nope.  They need to be able to check on their own whether their
> consultants have done the job and closed down their open DNS servers and
> they don't have Unix and don't know what is dig and don't want to
> outsource that job to you. :-)

You could go the php route as suggested with a few more bells and whistles
to make it easier to understand, and sanitize the input or in a pinch you
could use something like:

http://www.kloth.net/services/nslookup.php

Use a domain you don't expect to be in cache, or better yet create your own
wildcard with a low TTL and shove a TXT record in there.  Query against that
domain of yours (or any) and the suspect nameserver at the URL above, then
document how to deal with the output.

-- steve

>> First advice for the newbie... Don't use Windows!!! ;)
>> 
>> Seriously though... Send me your IPs... I'll dig em for you...
>> 
>> Stefan Fouant
>> Neustar, Inc. / Principal Engineer
>> 46000 Center Oak Plaza Sterling, VA 20166
>> Office: +1.571.434.5656 â–« Mobile: +1.202.210.2075 â–« GPG ID: 0xB5E3803D
>> â–« stefan.fouant at neustar.biz
>> 
>> ----- Original Message -----
>> From: Hank Nussbacher <hank at efes.iucc.ac.il>
>> To: Fouant, Stefan
>> Cc: nsp-security at puck.nether.net <nsp-security at puck.nether.net>
>> Sent: Thu Oct 01 11:29:16 2009
>> Subject: RE: [nsp-sec] Open DNS resolvers
>> 
>> On Thu, 1 Oct 2009, Fouant, Stefan wrote:
>> 
>> I need a GUI for a newbie to do it.  This is not for me to do.  So far
>> zilch.
>> 
>> -Hank
>> 
>>> Ok, so back at my computer now... looks like what Team Cymru has is the
>>> "Million Resolvers Project" which is basically a list of known open
>>> resolvers.  You could probably take a look at that list to see if certain
>>> hosts are listed.
>>> 
>>> Alternatively, you could run the following commands which should give you an
>>> indication as to whether or not a certain nameserver allows for recursion:
>>> 
>>> /usr/bin/dig +recurs @yournameserver_ip www.facebook.com
>>> 
>>> The above command would indicate whether the nameserver specified allows for
>>> recursive queries for www.facebook.com (assuming that nameserver is not
>>> authoritative for facebook.com domain).
>>> 
>>> Another thing you might want to look for is whether the name server allows
>>> for root referrals:
>>> 
>>> /usr/bin/dig . NS @yournameserver_ip
>>> 
>>> Generally, most Internet-facing authoritative DNS servers should not respond
>>> to recursive 3rd party queries for root.
>>> 
>>> Also, you can look for an "RA" entry in the "Flags" section of the response
>>> which should give you some indication as to whether the resolver allows for
>>> recursion...
>>> 
>>> HTHs.
>>> 
>>> Stefan Fouant
>>> Neustar, Inc. / Principal Engineer
>>> 46000 Center Oak Plaza Sterling, VA 20166
>>> Office: +1.571.434.5656 â–« Mobile: +1.202.210.2075 â–« GPG ID: 0xB5E3803D
>>> â–« stefan.fouant at neustar.biz
>>> 
>>>> -----Original Message-----
>>>> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
>>>> bounces at puck.nether.net] On Behalf Of Fouant, Stefan
>>>> Sent: Thursday, October 01, 2009 9:35 AM
>>>> To: hank at efes.iucc.ac.il; nsp-security at puck.nether.net
>>>> Subject: Re: [nsp-sec] Open DNS resolvers
>>>> 
>>>> ----------- nsp-security Confidential --------
>>>> 
>>>> I'm not at my computer right now, but if I recall Team Cymru had some
>>>> widget which could test for Open Resolvers. I haven't had my coffee
>>>> this AM yet, so I could be way off base though...
>>>> 
>>>> Stefan Fouant
>>>> Neustar, Inc. / Principal Engineer
>>>> 46000 Center Oak Plaza Sterling, VA 20166
>>>> Office: +1.571.434.5656 â–« Mobile: +1.202.210.2075 â–« GPG ID: 0xB5E3803D
>>>> â–« stefan.fouant at neustar.biz
>>>> 
>>>> ----- Original Message -----
>>>> From: nsp-security-bounces at puck.nether.net <nsp-security-
>>>> bounces at puck.nether.net>
>>>> To: nsp-security at puck.nether.net <nsp-security at puck.nether.net>
>>>> Sent: Thu Oct 01 06:33:08 2009
>>>> Subject: [nsp-sec] Open DNS resolvers
>>>> 
>>>> ----------- nsp-security Confidential --------
>>>> 
>>>> Can someone point me at a web page that can test a few specific IPs
>>>> whether
>>>> they are open.  Not:
>>>> http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl
>>>> which only checks what is in their cache from the last time they did
>>>> their
>>>> check - but I am looking for a check now.
>>>> 
>>>> Thanks,
>>>> Hank
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> nsp-security mailing list
>>>> nsp-security at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>> 
>>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
>>>> security
>>>> community. Confidentiality is essential for effective Internet security
>>>> counter-measures.
>>>> _______________________________________________
>>>> 
>>>> 
>>>> _______________________________________________
>>>> nsp-security mailing list
>>>> nsp-security at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>> 
>>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
>>>> security
>>>> community. Confidentiality is essential for effective Internet security
>>>> counter-measures.
>>>> _______________________________________________
>>> 
>> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com

More information about the nsp-security mailing list