dns-oarc community day apricot

DNS-OARC DNS Community Day

The DNS-OARC folks organized a DNS Community Day at the APRICOT 2024/APNIC 57 conference on 26th February 2024.

About DNS-OARC

The DNS Operations, Analysis, and Research Center (DNS-OARC) brings together key operators, implementors, and researchers on a trusted platform so they can coordinate responses to attacks and other concerns, share information and learn together.

The recent DNS KeyTrap vulnerability disclosure and collaboration efforts by all stakeholders was the result of DNS-OARC community.

DNS Community Day

The DNS Community Day was an excellent opportunity to meet with fellow DNS folks from the Asia Pacific region.

Our CEO, Swapneel Patnekar attended the DNS Community Day and also presented “Open Resolvers and why do they still exist” and “Who is living off your domain name?”

DNS-OARC DNS Community day

We have been researching about Open Resolvers in India and have written about it in the past. Here is a sneak peek into the presentation.

Open Resolvers and why do they still exist?

Scope of Open Resolvers

  • Focus is on open resolvers excluding the ones operated by Quad resolver operators, threat intelligence company(honeypots) etc
  • DNS servers with recursion enabled accepting DNS queries from any IP address on the Internet

Open Resolvers in India

open resolvers
  • Shodan reveals 200,000+ open resolvers in India alone (as on 21st Feb 2024 3:03 pm UTC)
  • Count could be possibly higher considering large scale CGNAT deployment by network operators in the country

As much as we would wish that CGNAT would magically disappear, CGNAT saves India!

Why are these Open Resolvers a problem?

Case in point, between 15 January 2023, 15:01:17 and 10 April 2023, 01:28:31, a single instance of our honeypot received 135,972,316 DNS queries from Brazil for the domain higi.com.

To understand this problem at Internet scale, the good folks at dataplane.org, make available a dataset of IP addresses identified as sending recursive DNS queries.

What is a DNS amplification attack?

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open DNS resolvers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible. 1

Why do open resolvers still exist?

Broken CPE devices running busybox etc which are EOL, no firmware updates from the manufacturer.

Cases of misconfiguration –

  1. Authoritative name servers misconfiguration with recursion enabled to the Internet
  2. Enterprise recursive resolvers misconfiguration and exposed to the Internet accepting DNS queries from any IP address

It is also interesting to see historical trends in Open resolvers across different geographies.

Japan

The attack surface of Open resolvers in Japan has been diminishing over the years. It would be interesting to know, how much of this can be attributed to NICT (Japan’s sole national research and development agency) IoT scanning project.

Japan open resolver historical trend

India

Alarmingly, the total number of open resolvers in India seems to be growing. Interestingly, the total number of open resolvers dipped between 2020 and 2022.

India open resolver historical trend

Best practices

  • Allow access to the recursive resolver only to the authorized IP addresses/netblock.
  • Response rate limiting.
  • On an authoritative-only nameserver, disable recursion.
  • For network operators — implement BCP 38 (Network Ingress Filtering).
  • ICANN Knowledge-Sharing and Instantiating Norms for DNS and Naming Security(KINDNS)

ShadowServer Network Reports

If you are a network operator, consider signing-up for ShadowServer reports

The reports are free of cost and are not limited to port 53.

Checkopenresolver.in project

From a consumer perspective, our web tool CheckOpenResolver can be used to check if a router/CPE is an open resolver. The objective of the web tool is to make it easy for a user to check an open resolver in their home network.

Update – March, 13th 2024

Who is living off your domain name?

Our second presentation at the DNS Community Day was about detecting domain shadowing attacks from a domain registrant’s perspective.


Full details in the blog post below,

Update 15th August 2024: Our CEO, Swapneel Patnekar, recently presented about domain shadowing attacks and ShadowFindr at the APAC DNS Forum 2024,

Website | + posts