[nsp-sec] Open Resolvers Validation & Question - AS6830

Stijn Jonker sjcjonker at sjc.nl
Tue Apr 2 16:18:13 EDT 2013 

All,

In an effort to address some of the "openresolvers" (no matter what one thinks about the press around the Cyberbunker/Spamhaus saga) some scripting and testing has been performed at LGI/UPC and I was wondering of others see the same.

First of all the setup is like:

Create a delegated zone in a domain under our control (example.com only used below):

or.example.com is delegated towards an instance running powerdns with the pipebackend.
This pipebackend will resolve any entry below the or.example.com to query source IP.

So when querying from 192.0.2.1 the server for www.or.example.com it will return the A record of 192.0.2.1

In the script the logic has been broken down like:
- If there is no answer, report noanswer
- If the answer equals the queried IP it's an OpenResolver
- If the answer does not equal the queried IP it's an OpenForwarder
- If the answer is empty, but there is an authority section it's an OpenReferrer
	Sub item, if the # referrers == 13 then OpenReferrer otherwise OpenSubReferrer

In this version of the script pushing the entire AS6830 list through we see:
Input records:		46374
Output records:		41033

Results:
noanswer:		146
openforwarder:		39344
openreferrer:		664
openresolver:		812
opensubreferrer:	75	

The result was different then expected; the 39k openforwarders was unexpected. Checking the query source most (~36k) used the DNS servers we as cable provider assign to our clients. (The others are opendns, google and the like).

Sampling the modems deployed out of those 36k I manually checked ~50 of those; out of those 50 only 1 was a device which has a layer 3 function and could potentially perform a DNS relay/cache/server function. All the others are layer 2, bridging cable modems. 

This means that there is a customer owned & controlled device at play. In an attempt to find what kind of device the standard set of "hidden" queries for authors.bind, version.bind and server.id I performed almost all returned the value of their upstream DNS server, nothing of their own.

Due to the setup of our company I need to re-push the new results to our countries which do the abuse handling and customer contact to see if we can find a common type of device, OS or other setup at the customer premisses. 

To make this long story short; is there anybody whom seems results alike this?

Thanks,
Stijn
LGI / UPC / AS6830 


P.S. Jared took the liberty to CC you directly as well as the data source, hope you don't mind.
--
Yours Sincerly,

Stijn Jonker - Security Manager
LGI / UPC - sjonker at lgi.com
SJCJonker at SJC.nl / +31 20 7789993
Primary AS 6830

More information about the nsp-security mailing list