How do I check for Open Resolvers?

What are Open Resolvers?

An open DNS resolver is essentially a DNS server that responds to requests and these request can allow you to forward your DNS traffic at a specified target.

Why are Open Resolvers not allowed on our network?

Open Resolvers are commonly used in DNS Amplification attacks, or DDOS (Distributed Denial of Service) attacks. These kinds of attacks have been used to take down major corporations and as such, we do not allow them on our network.

123 Reg Servers will not have DNS Recursion by default, so if we see that it is enabled on your server, you will be notified by ticket, advising you of the situation. If necessary, further action will be taken to ensure that DNS Recursion is disabled.

How do I find an Open Resolver?

Open Resolvers are fairly easy to spot. The easiest is to use the following links. They will allow you to enter your IP or Net Range, and you will be provided with a list of open resolvers. However, these lists are not always up to date so it is still a good idea to check by running commands:

</>

dig yahoo.com @ip.ip.ip.ip

This will give an output that looks like this:

</>

dig yahoo.com @ip.ip.ip.ip

; <<>> DiG 9.3.1 <<>> yahoo.com @ip.ip.ip.ip

; (1 server found)

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18814

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 4

;; QUESTION SECTION:

;yahoo.com. IN A

;; AUTHORITY SECTION:

. 3600 IN NS j.root-servers.net.

. 3600 IN NS k.root-servers.net.

. 3600 IN NS l.root-servers.net.

. 3600 IN NS m.root-servers.net.

. 3600 IN NS a.root-servers.net.

. 3600 IN NS b.root-servers.net.

. 3600 IN NS c.root-servers.net.

. 3600 IN NS d.root-servers.net.

. 3600 IN NS e.root-servers.net.

. 3600 IN NS f.root-servers.net.

. 3600 IN NS g.root-servers.net.

. 3600 IN NS h.root-servers.net.

. 3600 IN NS i.root-servers.net.

;; ADDITIONAL SECTION:

j.root-servers.net. 3600 IN A 192.58.128.30

k.root-servers.net. 3600 IN A 193.0.14.129

l.root-servers.net. 3600 IN A 199.7.83.42

m.root-servers.net. 3600 IN A 202.12.27.33

;; Query time: 7 msec

;; SERVER: ip.ip.ip.ip#53(ip.ip.ip.ip)

;; WHEN: Thu Jan 30 15:58:07 2014

;; MSG SIZE rcvd: 506

The above output does not look to be showing up as allowing recursion, and does not have the required flags – which are “rd” and “ra” – meaning recursive denied and recursive allowed. A server can be recursive desired and not an Open Resolver. However, it if shows “ra” then this would indicate that it is an Open Resolver. See below for an example:

</>

dig yahoo.com @ip.ip.ip.ip

; <<>> DiG 9.3.1 <<>> yahoo.com @ip.ip.ip.ip

; (1 server found)

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17211

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;yahoo.com. IN A

;; ANSWER SECTION:

yahoo.com. 1800 IN A 98.138.253.109

yahoo.com. 1800 IN A 98.139.183.24

yahoo.com. 1800 IN A 206.190.36.45

;; Query time: 37 msec

;; SERVER: ip.ip.ip.ip#53(ip.ip.ip.ip)

;; WHEN: Thu Jan 30 15:58:20 2014

;; MSG SIZE rcvd: 75

This time we do not get the root service, but rather, the correct A records and looking at the flags again, there is a difference:

</>

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

The ra would identify that this server is indeed an Open Resolver.

How to fix and Open Resolver

The method for resolving an Open Resolver is based upon the type of server you use.

Plesk Control Panel

From the Server Tab or Tools and Settings, select DNS Template Settings under General Settings. Go to the DNS Recursion tab and select Deny/Allow Locally.

Plesk Command Line (Windows)

</>

cd %plesk_cli%

server_dns.exe –update-server -recursion localhost

Windows DNS

From Remote Desktop, click on the Start button and select Administrative Tools. Then select DNS, right click on the Server, select Properties, and then select Advanced. Here, ensure that Disable recursion (also disables forwards) is ticked, then click Apply.

Windows CMD

</>

dnscmd localhost /Config /NoRecursion 1

net stop dns

net start dns

Linux

Edit the file /ect/named.conf and change the below variables in the options{ section to secure your DNS service:

</>

version “unknown”;

allow-transfer {none;};

allow-recursion {none;};

allow-query-cache {none;}; // for BIND 9.4+

recursion no;

additional-from-cache no;

Once these modifications are complete, you must restart the DNS Service.

How to check if the issue is fixed

The command you should use to check for DNS recursion:

</>

dig yahoo.com @ip.ip.ip.ip

The fixed output should look like this:

</>

dig yahoo.com @ip.ip.ip.ip

; <<>> DiG 9.3.1 <<>> yahoo.com @ip.ip.ip.ip

; (1 server found)

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18814

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 4 

;; QUESTION SECTION:

;yahoo.com. IN A

;; AUTHORITY SECTION:

. 3600 IN NS j.root-servers.net.

. 3600 IN NS k.root-servers.net.

. 3600 IN NS l.root-servers.net.

. 3600 IN NS m.root-servers.net.

. 3600 IN NS a.root-servers.net.

. 3600 IN NS b.root-servers.net.

. 3600 IN NS c.root-servers.net.

. 3600 IN NS d.root-servers.net.

. 3600 IN NS e.root-servers.net.

. 3600 IN NS f.root-servers.net.

. 3600 IN NS g.root-servers.net.

. 3600 IN NS h.root-servers.net.

. 3600 IN NS i.root-servers.net.

;; ADDITIONAL SECTION:

j.root-servers.net. 3600 IN A 192.58.128.30

k.root-servers.net. 3600 IN A 193.0.14.129

l.root-servers.net. 3600 IN A 199.7.83.42

m.root-servers.net. 3600 IN A 202.12.27.33

;; Query time: 7 msec

;; SERVER: ip.ip.ip.ip#53(ip.ip.ip.ip)

;; WHEN: Thu Jan 30 15:58:07 2014

;; MSG SIZE rcvd: 506

The tags above show only as rd if the flags contain ra – this indicated that recursion is allowed.

</>

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0