Thank you for visiting the Rackspace Community
The The Community is live! Post new content or topics so our teams can assist.

Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.

What is an Open DNS Resolver?

At the most basic level, DNS resolver is just a machine that is willing to take a domain name (example.com) and translate it to an IP address (123.234.243.231). This functionality is provided by a few different pieces of software, the most common of which are BIND (linux), dnsmasq (linux), and the windows DNS manager.

There are two ways that DNS servers attempt to resolve incoming queries:

  • Authoritatively - This is the authoritative DNS Server for this domain, and knows locally that example.com = 123.234.243.231. When the request comes in it returns this response with no additional steps.
  • Recursively - The server does not know locally that example.com = 123.234.243.231, but knows that the nameserver 8.8.8.8 will know where to look. So when the request comes in, it in turn sends a request to 8.8.8.8, who tells it that ns.example.com is the authoritative nameserver. It then asks ns.example.com where example.com is, and forwards the response back to the original requester.

Neither of these are by nature bad or incorrect, but they should not be mixed, and should never be used in the same scenarios. This brings us to the definition of an Open DNS Resolver:

 

An Open DNS Resolver is any DNS resolver that is publicly accessible, and willing to resolve recursive queries for anyone on the internet.

 

Why is an Open DNS resolver a bad thing?

While this sounds like the good Samaritan thing to do, the DNS protocol is one of a few that can turn a very small query into a large response (in both size, and required computing power). Because of this, having an open resolver opens your server up to be used in DNS Amplification Attacks.

 

What is a DNS Amplification Attack?

As mentioned above, DNS is capable of turning small requests into large responses. The two favorite types of queries for this are ANY queries and TXT queries.

An ANY query tells the DNS resolver “I want every record that you have available for example.com. This means that this small query:

dig ANY example.com

can retrieve this large a response:

example.com.           10234   IN     A       123.234.342.231
example.com.           86400   IN     NS     ns.example.com.
example.com.           86400   IN     NS     ns.example.com.
example.com.           32     IN     TXT     "v=msv1 t=123456789abcdef123456789abcdef1"
example.com.           32     IN     TXT     " v=spf1 mx include:aspmx.googlemail.com -all"
example.com.           10243   IN     AAAA   1234:5678:9abc:def1:2345:6789:abcd:ef12

However, many authoritative DNS resolvers will flag incoming ANY? queries, and attackers of course will not want to alert their middle man. Many attackers will therefore instead use TXT queries against malicious domain zones that they have generated.

Most of you will have dealt with TXT queries in the past, they are often used for DKIM and SPF email verification, as well as being used by several vendors to prove domain ownership. TXT records can hold up to 255 characters, and you can have multiple TXT records per domain. This means that with a zone set up correctly by the attacker, they can cause this small request:

dig TXT example.com

into this huge response:

example.com.           32     IN     TXT     "test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test"
example.com.           32     IN     TXT     “test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test”
example.com.           32     IN     TXT     "test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test"
example.com.           32     IN     TXT     "test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test"
example.com.           32     IN     TXT     "test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test test"

Now this is great you say, but won’t they just be hurting themselves? The problem is that many ISP’s do not implement BCP38, and therefore do not prevent their customers from spoofing source IPs. Once spoofed sources are introduced, this suddenly becomes very dangerous, as the attacker can force the response to go somewhere other than the requester. This is particularly insidious as it is therefore extremely difficult to track a malicious query back to the original sender.

I'm sure that I have scared you sufficiently, but now imagine hundreds of servers from a botnet sending 100s of these spoofed requests per second, all from apparently the same source IP. This is a particularly insidious type of DNS Amplification attack known as a DNS Reflection attack.

 

How can I check if I have an Open DNS Resolver?

The Open Resolver Project provides an excellent Open Resolver test directly from their website: OpenResolverProject.org. This test will tell send several queries to your IP space and tell you whether it recursed for the response, and who the final responder was. For a simple yes/no check, you can use openresolver.com.

 

I have an Open DNS Resolver, how do I fix it?

Linux

Closing An Open DNS Resolver (Linux)

 

Windows

Preventing DNS Amplification Attacks via the Windows Firewall

Disable Recursion on the Windows DNS Server

  • Great post, Russell! 

    In February of 2014, I had the opportunity to chat with Trey from CloudFlare about the massive DDoS attack they helped to deflect. We covered a lot of useful information, and this is a good watch if you're interested in how DDoSes work, and how to prevent them.