Open Resolver Project

Open Resolvers pose a significant threat to the global network infrastructure by answering recursive queries for hosts outside of its domain. They are utilized in DNS Amplification attacks and pose a similar threat as those from Smurf attacks commonly seen in the late 1990s.

We have collected a list of 32 million resolvers that respond to queries in some fashion. 28 million of these pose a significant threat (as of 27-OCT-2013). Detailed History and Breakdown

Check my IP space

Search my IP space (eg: 192.0.2.0/24 - searches "larger" than /22 will be rejected):

ipv4-heatmap of 20130519 data heatmap archive


What can I do?

If you operate a DNS server, please check the settings.

Recursive servers should be restricted to your enterprise or customer IP ranges to prevent abuse. Directions on securing BIND and Microsoft nameservers can be found on the Team CYMRU Website - If you operate BIND, you can deploy the TCP-ANY patch

Authoritative servers should not offer recursion, but can still be used in an attack. Configure your Authoritative DNS servers to use DNS RRL [Response Rate Limiting] Knot DNS and NLNetLabs NSD include this as a standard option now. BIND requires a patch.

CPE DEVICES SHOULD NOT listen for DNS packets on the WAN interface, including NETWORK and BROADCAST addresses.

Prevent spoofing on your network!

Configure Source Address Validation/uRPF/BCP-38 on all CPE and Datacenter equipment edges that have fixed IP ranges. This could be as simple as setting ip verify unicast source reachable-via rx on a router interface. Any staticly routed customer should receive this setting by default.

If you are in the security community:

Please contact dns-scan /at/ puck.nether.net for access to raw data.

Additional Information

Informações em Português

We can provide you a List of Open Resolvers by ASN if you e-mail dns-scan /at/ puck.nether.net

Test your IP Now!

DNS DDoS and Security in the News
  • 04-APR-2013 Spamhaus DDoS was just a warning shot
  • 30-MAR-2013 How the Cyberattack on Spamhaus Unfolded
  • 28-MAR-2013 Is Your DNS Server part of a criminal conspiracy?
  • 20-MAR-2013 75Gb/s DDoS against Cloudflare

    Presentations:
  • DNS-OARC May 2013 - slides
  • NANOG 58 June 2013 - Lightning Talk