[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

On Mar 25, 2013, at 2:04 PM, Jay Ashworth <jra at baylink.com> wrote:

> ----- Original Message -----
>> From: "Jared Mauch" <jared at puck.nether.net>
>> Open resolvers pose a security threat.
> Could you clarify, here, Jared?
> Do "open DNS customer-resolver/recursive servers" *per se* cause a problem?
> Or is it merely "customer zone servers which are misconfigured to recurse",
> as has always been problematic?
> That is: is this just a reminder we never closed the old hole, or 
> notification of some new and much nastier hole?

There have been some moderate size attacks recently that I won't go into detail here about.  The IPs that are on the website are certainly being used/abused.  A recent attack saw a 90% match rate against the "master list" here.  This means your open resolver is likely being used.

Anything to raise the bar here will minimize the impact to those networks under attack.  Turn on RPF facing your colocation and high-speed server lans.  We all know hosts become compromised.  Help minimize the impact of these attacks by 

a) doing BCP-38
b) locking down your recursive servers to networks you control
c) locking down your authority servers to not provide the same answer 15x in a second to the same querying IP.  If it's asking that same question 15x, then it's not you that's broken, it's that client.  (Or it's being abused).

- Jared