[nsp-sec] Open Resolvers Validation & Question - AS6830

[John Kristoff]

On Tue, 2 Apr 2013 22:18:13 +0200
Stijn Jonker <sjcjonker at sjc.nl> wrote:

> So when querying from 192.0.2.1 the server for www.or.example.com it
> will return the A record of 192.0.2.1

Everything else looked pretty good, but it might be best to issue
queries for each individual probe using a one-time unique hostname
under or.example.com.  That way you should avoid getting any cached
answers.  You can also encode things into the qname so that if you see
the qname appear later, you might be able to decode when it was
originally sent.  I see this often.  For instance, I encode a timestamp
and occasionally would be a one-time query end up at the auth server
periodically appear hours, days and weeks later.  I once asked someone
about one of these and in that one case it turned out they had some
sort of monitoring system that would re-query all the queries they
received.  I'm not sure what the point of that was for a single query
that occurred days ago, but I've seen behavior even more strange than
that.

> This means that there is a customer owned & controlled device at
> play. In an attempt to find what kind of device the standard set of
> "hidden" queries for authors.bind, version.bind and server.id I
> performed almost all returned the value of their upstream DNS server,
> nothing of their own.

Try specifying no recursion in your follow up queries, or perhaps
better would to be to try using something like fpdns.

> To make this long story short; is there anybody whom seems results
> alike this?

Yes, the open forwarder counts are likely going to be significant in
many end user edge networks.

John