Re: [LUG] Open DNS Resolvers

To: list@xxxxxxxxxxxxx

Subject: Re: [LUG] Open DNS Resolvers

From: Viv Griffin <vivi.griffin@xxxxxxxxx>

Date: Wed, 15 May 2013 17:17:03 +0100

Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=cEAa0WjovN5KqLP6L/oLw2+nkiSU2VvoU0hqcn2UUpI=; b=DThoSaxuaNwJ5MIM+NuxmLxPNM6egupPen3KDUAfGL3rKYd+wV88CC8VQa90wPa+yZ mHXvfeazu1E9+kvClmzq8IvMbJ7DrURvTpZ6/zyzjYeFL1ybHjsblX6SnN3XXgRr97bm NUbnXrWbtf2w427GXuY8cbEFXbDTJDc5kV29PyGjDEId4j6l+/wv4kGPXhyIK7lWlwXT F/vXhtsQZ6/krKCnD/gdDFGWPz5xPiZ/hE2VPuVUB3D2Ri2oKlVM66bEjp9g23nCA9Cq S60kS10Te/ZZs+/igcy6hAdrk5vnlQ4R5Mhd70cBsSG6ov4wGIwLMaq10pY5xYaOebfX 62aw==

The default search comes up with loads of IP addresses but, if I use /32, it doesn't come up with any. Does this mean I am running open resolvers? If so, how do I get rid of them? Should I get paranoid again?

On 15 May 2013 16:42, Martijn Grooten <sweetwatergeek@xxxxxxxxx> wrote:

On Wed, May 15, 2013 at 4:26 PM, Gordon Henderson wrote:
> So use that site to check your own IP address

Do keep in mind that by default the site searches the /22 that your IP
address belongs to. Which means that you get some information about
open resolvers on your network, which in most cases isn't very useful.
Add /32 to the IP address to make it search only you.

Running an open resolver means the machine can be used in a DNS
amplification (aka DNS reflection aka Smurf) attack: the attacker
sends a small request, from a forged address, that gives a known large
response. The response will be sent to the forged address. If the
attacker makes enough such requests, this becomes a DDoS attack on
said forged address.

It's been a big problem for quite some time.

Martijn.

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq