33,384 open DNS resolvers in India

The Shadowserver Foundation releases and updates a scan report containing results for open resolvers on the Internet. Open resolvers basically respond to any a DNS queries from anyone on the Internet. Open resolvers are bad for the Internet primarily because they are a catalyst in a DNS amplification attack.

A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS), in which attackers use publicly accessible open DNS servers to flood a target system with DNS response traffic. The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target’s address. When the DNS server sends the DNS record response, it is sent instead to the target.

Source

At the time of writing this, from an India perspective, there are 33,384 open resolvers. The number was 72,736 a couple of weeks ago.

Of the quantum, at that time,

ASNAS NameCount
AS9829BSNL-NIB National Internet Backbone77,736

So, what’s going on here ? Most likely, it’s a broken configuration in the CPE(Customer Premise Equipment) of AS9829 which is allowing DNS requests on the WAN IP address and performing recursion.

Most of the cheap CPE devices that get installed along with the connection run dnsmasq and the firmware never sees an update.

Interestingly, when I compare this with my own measurements, the number of IP addresses responding to port 53 in my results is much higher – 260,886. Though, I haven’t filtered the responses for IP addresses which are performing recursion. There could be IP addresses in the results which are configured as authoritative name servers and that’s perfectly valid.

For some reason, if you are running a DNS resolver on the Internet, strongly suggest that you restrict access by IP address/network.

A better approach is perhaps to configure the DNS resolver software on a RFC1918 private IP address & configure wireguard/openvpn. Using this approach, the resolver is never exposed to the Internet while at the same time, devices can send DNS queries via the wireguard/openvpn tunnel.

Educational & Research Institutions in India having their own ASN

A few months ago, Pranesh had asked if there are any universities in India that have their own ASN.

I think the answer warrants a few more details.

AS132785Shiv Nadar University
AS137282KIIT University
AS133552B.M.S College Of Engineering
AS38872Indian School of Business
AS137617Indian Institute Of Management, Ahmedabad
AS136304Institute Of Physics, Bhubaneswar
AS138231Indian Institute Of Information Technology, Allahabad
AS137956Indian Institute of Technology, Ropar
AS134901Indian Institute Of Science Education And Research
AS132749Indraprastha Institute of Information Technology, Delhi
AS2697ERNET (Education and Research Network) India (Also peers with AS55824 – NKN Core Network)

ASN’s part of NKN(National Knowledge Network) Core Network (AS55824)

AS59163GLA University
AS138155Jawaharlal Nehru University
AS55566Inter University Centre for Astronomy and Astrophysics
AS134023Aligarh Muslim University
AS132995South Asian University
AS58758Tata Institute of Fundamental Research (Also has AS4755 as IPv4 peer)
AS134934Institute For Stem Cell Biology And Regenerative Medicine (Also has AS45820 AS IPv4 peer)
AS134322Tata Institute of Fundamental Research (Also has AS9498 as IPv4 peer)
AS132524Tata Institute of Fundamental Research (Also has AS18101 as IPv4 peer)
AS23770Tata Institute of Fundamental Research (Also has AS45820 as IPv6 peer)
AS137136Indian Agricultural Statistics Research Institute
AS136005Raman Research Institute
AS135730Datta Meghe Institute Of Medical Sciences
AS133723Institute for Plasma Research
AS133313Saha Institute of Nuclear Physics
AS133273Tata Institute of Social Sciences
AS133002Indian Institute of Tropical Meteorology
AS132780Indian Institute of Technology, Delhi
AS131226Indian Institute Of Technology, Roorkee

While the data on NKN’s website mentions about 1622 connected institutions, apart from the list above, the majority of them do not have an ASN.

I will visit this post every few months and update the data.

RIPE Atlas software probe – Host one in your network

tl;dr This post outlines information on the RIPE Atlas software probe. Also, have a look at Shodan geodns and geoping for running measurements from vantage points.

RIPE Atlas is a global network of devices, called probes and anchors, that actively measure Internet connectivity. RIPE Atlas users can also perform customised measurements to gain valuable data about their networks. 

At the time of writing, 12,000+ probes were connected. The total number of probes connected may be higher, as probes go offline due to Internet disconnections and power issues, especially in underdeveloped/developing countries.

All this while, the RIPE Atlas probes have been hardware devices.

That changed sometime in February 2020, when the RIPE NCC released a software version of the RIPE Atlas probe. This is super useful (apart from the fact that the hardware probe costs money to manufacture and ship and most importantly Indian customs 😢 ) as you can run the software probe on RaspberryPi along with many other supported operating systems(CentOS7, CentOS8, Debian 9, Debian 10 and Docker). 

For more information about installing the software probe and registration, please click the following link.

Here is a video that was recorded by RIPE NCC as part of a webinar that I did for them.

If anyone needs any help in installing/registering the probe, feel free to ping 🙂 

Shodan geoping and geodns -Quickly check ping and DNS resolution across multiple locations