[nsp-sec] Open Resolvers Validation & Question - AS6830
Stijn Jonker
sjcjonker at sjc.nl
Wed Apr 3 02:51:12 EDT 2013
John,
On 3 Apr 2013, at 01:51, John Kristoff <jtk at cymru.com> wrote:
> On Tue, 2 Apr 2013 22:18:13 +0200
> Stijn Jonker <sjcjonker at sjc.nl> wrote:
>
>> So when querying from 192.0.2.1 the server for www.or.example.com it
>> will return the A record of 192.0.2.1
>
> Everything else looked pretty good, but it might be best to issue
> queries for each individual probe using a one-time unique hostname
> under or.example.com. That way you should avoid getting any cached
> answers. You can also encode things into the qname so that if you see
What I actually did was request 192.0.2.1.or.example.com which was answered with a ttl of 1. Sorry for not mentioning this. So every query was unique.
>> This means that there is a customer owned & controlled device at
>> play. In an attempt to find what kind of device the standard set of
>> "hidden" queries for authors.bind, version.bind and server.id I
>> performed almost all returned the value of their upstream DNS server,
>> nothing of their own.
>
> Try specifying no recursion in your follow up queries, or perhaps
> better would to be to try using something like fpdns.
Hmm will try let's see if we can find a common device, platform etc.
>
>> To make this long story short; is there anybody whom seems results
>> alike this?
>
> Yes, the open forwarder counts are likely going to be significant in
> many end user edge networks.
I'm afraid so..
--
Yours Sincerly,
Stijn Jonker - Security Manager
LGI / UPC - sjonker at lgi.com
SJCJonker at SJC.nl / +31 20 7789993
Primary AS 6830
More information about the nsp-security
mailing list