The Shadowserver Foundation releases and updates a scan report containing results for open resolvers on the Internet. Open resolvers basically respond to any a DNS queries from anyone on the Internet. Open resolvers are bad for the Internet primarily because they are a catalyst in a DNS amplification attack.
A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS), in which attackers use publicly accessible open DNS servers to flood a target system with DNS response traffic. The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target’s address. When the DNS server sends the DNS record response, it is sent instead to the target.
At the time of writing this, from an India perspective, there are 33,384 open resolvers. The number was 72,736 a couple of weeks ago.
Of the quantum, at that time,
|AS9829||BSNL-NIB National Internet Backbone||77,736|
So, what’s going on here ? Most likely, it’s a broken configuration in the CPE(Customer Premise Equipment) of AS9829 which is allowing DNS requests on the WAN IP address and performing recursion.
Most of the cheap CPE devices that get installed along with the connection run dnsmasq and the firmware never sees an update.
Interestingly, when I compare this with my own measurements, the number of IP addresses responding to port 53 in my results is much higher – 260,886. Though, I haven’t filtered the responses for IP addresses which are performing recursion. There could be IP addresses in the results which are configured as authoritative name servers and that’s perfectly valid.
For some reason, if you are running a DNS resolver on the Internet, strongly suggest that you restrict access by IP address/network.
If you are running a DNS resolver, please restrict access to your own clients. Leaving it open for anyone on the Internet to use is just aiding attackers. https://t.co/tt5cBr3CHj— ISC (@ISCdotORG) May 7, 2020
A better approach is perhaps to configure the DNS resolver software on a RFC1918
private IP address & configure wireguard/openvpn. Using this approach, the resolver is never exposed to the Internet while at the same time, devices can send DNS queries via the wireguard/openvpn tunnel.