> In message <20120822101333.7dafb564@localhost>, John Kristoff writes:
> > You can, but target_ip may just forward to another resolver, which > > ultimately fetches the answer on it's behalf. So target_ip itself may > > not strictly be considered an open resolver, but an "open forwarder". > > confuse any answer with a valid answer. For instance, the resolver may > > be giving you a response based on a locally configured wild card record. > From: Mark Andrews <[email protected]> > > It is an open resolver. It doesn't matter if it does the lookup > directly or indirectly. It is honoring the "rd" bit and supplying > recursive service. There's more than one valid definition of "open resolver." A DNS server that honors the RD bit from strangers only some of the time, that "improves" some response with locally configured records, is "helpful" about NXDOMAIN responses, keeps answering long after the TTL on the authoritative rrset allow, or is otherwise "translucent" might not be "open" to someone interested in legitimate DNS services and DNS truth. It might not compete with the resolvers on 8.8.8.8. On the other hand, such a resolver is likely to be "open" enough for someone looking for help for DoS reflection attack or a network operator wanting to avoid providing reflection attack services. It is conceivable that the resolvers on 8.8.8.8 rate limit so aggressively that they don't qualify as "open" for reflection attacks today. I doubt that any DNS resolver can be open by the benign definition in the long run without being open by the evil definition if only because of DNSSEC and the peak requests/second from a DNSSEC-aware browser (without local cache and all that implies). `dig +dnssec asfd789.com @8.8.8.8` amplifies by about 25X. That is why when talking to someone looking for or trying to run a benign open resolver, you need to advert to both definitions. Someone trying close open resolvers may need both definitions to justify time spent to pointy haired bosses who use Google Public DNS and OpenDNS on their home computers. It wasn't clear to me whether the original author was looking for benign competitors to Google and OpenDS or checking his own network for evil open resolvers. Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
