How do I check for Open Resolvers?

This article applies to your 123-reg Server

This article will show you what Open Resolvers are and how you can fix them? 

What are Open Resolvers?

An open DNS resolver is essentially a DNS server that responds to requests and these request can allows you to forward your DNS traffic at a specified target.

Why are Open Resolvers not allowed on our network?

Open Resolvers are commonly used in DNS Amplification attacks, or DDOS (Distributed Denial of Service) attacks. These kinds of attacks have been used to take down major corporations and as such, we do not allow them on our network. 

123-reg Servers will not have DNS Recursion by default, so if we see that it is enabled on your server, you will be notified by ticket, advising you of the situation. If necessary, further action will be taken to ensure that DNS Recursion is disabled. 

How do I find an Open Resolver?

Open Resolvers are fairly easy to spot. The easiest is to use the following links. They will allow you to enter your IP or Net Range, and you will be provided with a a list of open resolvers. However, these lists are not always up to date, so it is still a good idea to check by running commands:

dig yahoo.com @ip.ip.ip.ip

This will give an output that looks like this: 

dig yahoo.com @ip.ip.ip.ip


; <<>> DiG 9.3.1 <<>> yahoo.com @ip.ip.ip.ip

; (1 server found)

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18814

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 4


;; QUESTION SECTION:

;yahoo.com. IN A


;; AUTHORITY SECTION:

. 3600 IN NS j.root-servers.net.

. 3600 IN NS k.root-servers.net.

. 3600 IN NS l.root-servers.net.

. 3600 IN NS m.root-servers.net.

. 3600 IN NS a.root-servers.net.

. 3600 IN NS b.root-servers.net.

. 3600 IN NS c.root-servers.net.

. 3600 IN NS d.root-servers.net.

. 3600 IN NS e.root-servers.net.

. 3600 IN NS f.root-servers.net.

. 3600 IN NS g.root-servers.net.

. 3600 IN NS h.root-servers.net.

. 3600 IN NS i.root-servers.net.


;; ADDITIONAL SECTION:

j.root-servers.net. 3600 IN A 192.58.128.30

k.root-servers.net. 3600 IN A 193.0.14.129

l.root-servers.net. 3600 IN A 199.7.83.42

m.root-servers.net. 3600 IN A 202.12.27.33


;; Query time: 7 msec

;; SERVER: ip.ip.ip.ip#53(ip.ip.ip.ip)

;; WHEN: Thu Jan 30 15:58:07 2014

;; MSG SIZE rcvd: 506

The above output does not look to be showing up as allowing recursion and does not have the required flags, which are "rd" and "ra", which mean recursive denied and recursive allowed. A server can be recursive desired and not an Open Resolver, however, it if shows "ra" then this would indicate that it is an Open Resolver. See below for an example: 

dig yahoo.com @ip.ip.ip.ip


; <<>> DiG 9.3.1 <<>> yahoo.com @ip.ip.ip.ip

; (1 server found)

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17211

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0


;; QUESTION SECTION:

;yahoo.com. IN A


;; ANSWER SECTION:

yahoo.com. 1800 IN A 98.138.253.109

yahoo.com. 1800 IN A 98.139.183.24

yahoo.com. 1800 IN A 206.190.36.45


;; Query time: 37 msec

;; SERVER: ip.ip.ip.ip#53(ip.ip.ip.ip)

;; WHEN: Thu Jan 30 15:58:20 2014

;; MSG SIZE rcvd: 75

This time we do not get the root service, but rather, the correct A records and looking at the flags again, there is a difference:

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

The ra would identify that this server is indeed an Open Resolver.


How to fix and Open Resolver

The method for resolving an Open Resolver is based upon the type of server you use.

From the Server Tab or Tools and Settings select DNS Template Settings under General Settings. Go to the DNS Recursion tab and select Deny/Allow Locally. 



How to check if the issue is fixed

The command you should use to check for DNS recursion:

dig yahoo.com @ip.ip.ip.ip

The fixed output should look like this:

dig yahoo.com @ip.ip.ip.ip


; <<>> DiG 9.3.1 <<>> yahoo.com @ip.ip.ip.ip 

; (1 server found) 

;; global options: printcmd 

;; Got answer: 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18814 

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 4 


;; QUESTION SECTION: 

;yahoo.com. IN A 


;; AUTHORITY SECTION: 

. 3600 IN NS j.root-servers.net. 

. 3600 IN NS k.root-servers.net. 

. 3600 IN NS l.root-servers.net. 

. 3600 IN NS m.root-servers.net. 

. 3600 IN NS a.root-servers.net. 

. 3600 IN NS b.root-servers.net. 

. 3600 IN NS c.root-servers.net. 

. 3600 IN NS d.root-servers.net. 

. 3600 IN NS e.root-servers.net. 

. 3600 IN NS f.root-servers.net. 

. 3600 IN NS g.root-servers.net. 

. 3600 IN NS h.root-servers.net. 

. 3600 IN NS i.root-servers.net. 


;; ADDITIONAL SECTION: 

j.root-servers.net. 3600 IN A 192.58.128.30 

k.root-servers.net. 3600 IN A 193.0.14.129 

l.root-servers.net. 3600 IN A 199.7.83.42 

m.root-servers.net. 3600 IN A 202.12.27.33 


;; Query time: 7 msec 

;; SERVER: ip.ip.ip.ip#53(ip.ip.ip.ip) 

;; WHEN: Thu Jan 30 15:58:07 2014 

;; MSG SIZE rcvd: 506

The tags above show only as rd if the flags contain ra - this indicated that recursion is allowed. 

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

Offer

Answer options

Your feedback was successfully added.

Answer tracking

Track

Watch the content of this article for changes.