Notebook (Posts about ddos)/categories/ddos.atom2019-05-05T21:20:57ZToni MüllerNikolaDNS: Open Resolvers, Revisited/posts/2014-06-28-dns-open-resolvers/2014-06-28T00:00:00+02:002014-06-28T00:00:00+02:00Toni Mueller<div><p>Long has been the list of failures in ISPs and carriers to force
borken DNS servers on their customers, thereby manipulating their
customers traffic, or outright censoring what their customers can
see. To combat such manipulations, and also to make it harder to
observe their customers' behaviour, it has been a pet project for
some, also for me at some time, to run an open resolver, that allows
random people on the Internet to query your DNS server for an
arbitrary name. Unfortunately, the evil guys developed an attack <a class="footnote-reference" href="/posts/2014-06-28-dns-open-resolvers/#id3" id="id1">[0]</a>
that makes it impractical to run an open resolver. So, while
politically desirable, it is unfeasible to run an open resolver, and
network operators around the globe strive for shutting them down.</p>
<!-- (aside: I am very interested to learn if and how Google might mitigate -->
<!-- such abuse of their public resolvers.) -->
<p>Now, these attacks all rely on the simple fact that, with UDP, you do
not have any kind of assurance that the source address in a packet in
fact belongs to the sending host. In my opinion, if you are willing to
take the effort, there is one obvious way to provide an open resolver
that does <strong>not</strong> have this flaw: For hosts not on your own network,
provide DNS over TCP only.</p>
<p>I hope that someone will hack this feature into unbound <a class="footnote-reference" href="/posts/2014-06-28-dns-open-resolvers/#id4" id="id2">[1]</a>, so
people can easily deploy open resolvers in a reasonably safe way,
without disrupting the Internet. Currently, <cite>unbound</cite>'s <cite>do-udp</cite>
setting is only a combined setting for incoming and outgoing queries,
causing upstream name servers excessive load.</p>
<p>Thank you for reading!</p>
<table class="docutils footnote" frame="void" id="id3" rules="none">
<colgroup><col class="label"><col></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="/posts/2014-06-28-dns-open-resolvers/#id1">[0]</a></td><td>See eg. <a class="reference external" href="http://openresolverproject.org/">http://openresolverproject.org/</a></td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id4" rules="none">
<colgroup><col class="label"><col></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="/posts/2014-06-28-dns-open-resolvers/#id2">[1]</a></td><td><a class="reference external" href="https://www.unbound.net">https://www.unbound.net</a></td></tr>
</tbody>
</table></div>