![\"Open](\"https:\/\/shreshtait.com\/blog\/wp-content\/uploads\/2023\/04\/Open-resolvers-India.png\")
<\/figure>\n\n\n\nWhat security risks do open resolvers pose?<\/strong><\/h4>\n\n\n\nAn open resolver can be abused by threat actors to initiate a Denial of Service(DoS) attack. Simply put, running an open resolver is a bad security practice.<\/p>\n\n\n\n
Case in point<\/strong> – DNS amplification attack or a Denial of Service attack using an open resolver <\/strong>?<\/h4>\n\n\n\nA Domain Name Server (DNS) amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of publically accessible open DNS servers to overwhelm a victim system with DNS response traffic.1<\/a><\/sup><\/p>\n\n\n\nBetween Jan 15, 15:01:17 and Apr 10, 01:28:31, a single instance of our honeypot, received 135972316 DNS queries from Brazil for the domain higi[.]com<\/p>\n\n\n\n![\"Open](\"https:\/\/shreshtait.com\/blog\/wp-content\/uploads\/2023\/04\/as-count.png\")
<\/figure>\n\n\n\n![\"DNS](\"https:\/\/shreshtait.com\/blog\/wp-content\/uploads\/2023\/04\/country-code.png\")
<\/figure>\n\n\n\nAccording to https[:]\/\/www[.]higi.com, <\/p>\n\n\n\n
\nHigi is a consumer health engagement company that combines physical access via a network of digital Smart Health Stations with complementary web and mobile tools that enable a consumer\u2019s health engagement, making it easier for them to understand and act on their health and healthcare needs.<\/em><\/p>\n<\/blockquote>\n\n\n\nObjective of the attack<\/h4>\n\n\n\n
On primary evidence, it is most likely that the objective of the attack is to send a large influx of DNS query traffic to the authoritative name servers of higi[.]com. When writing the DNS A record of higi[.]com had a TTL value of 600 seconds.<\/p>\n\n\n\n
A global coffee chain serving an open resolver \u2615<\/h4>\n\n\n\n
It’s not just CPE boxes with broken firmware\/configuration which have the problem of open resolvers, Shreshta<\/a> threat analysts have detected enterprise DNS resolvers, resolvers part of network operators and even a global coffee chain running an open resolver!<\/p>\n\n\n\nBest practices <\/h4>\n\n\n\n
As a recursive resolver operator, below are some of the best practices that you should follow<\/p>\n\n\n\n
\n- Allow access to the recursive resolver only to authorised IP addresses\/netblock<\/li>\n\n\n\n
- Response rate limiting<\/li>\n\n\n\n
- On an authoritative only name server, disable recursion<\/li>\n\n\n\n
- For network operators – Implement BCP38<\/a> (Network Ingress Filtering)<\/li>\n<\/ul>\n\n\n\n
We also urge recursive resolver & authoritative name server operators to explore KINDNS<\/a> – Stands for Knowledge-Sharing and Instantiating Norms for DNS and Naming Security. It’s a program supported by ICANN to develop and promote a framework that focuses on the most important operational best practices or concrete instances of DNS security best practices.<\/p>\n\n\n\nWe have contacted higi[.]com as well as the DNS administrators of the global coffee chain to share our findings. <\/p>\n\n\n\n
As seen in this post, it’s important to follow best practices to eliminate the risks of running an open resolver. <\/p>\n\n\n\n
Recommended reading<\/h2>\n\n\n\n
A Domain Name Server (DNS) amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of publically accessible open DNS servers to overwhelm a victim system with DNS response traffic.1<\/a><\/sup><\/p>\n\n\n\n Between Jan 15, 15:01:17 and Apr 10, 01:28:31, a single instance of our honeypot, received 135972316 DNS queries from Brazil for the domain higi[.]com<\/p>\n\n\n\n According to https[:]\/\/www[.]higi.com, <\/p>\n\n\n\n Higi is a consumer health engagement company that combines physical access via a network of digital Smart Health Stations with complementary web and mobile tools that enable a consumer\u2019s health engagement, making it easier for them to understand and act on their health and healthcare needs.<\/em><\/p>\n<\/blockquote>\n\n\n\n On primary evidence, it is most likely that the objective of the attack is to send a large influx of DNS query traffic to the authoritative name servers of higi[.]com. When writing the DNS A record of higi[.]com had a TTL value of 600 seconds.<\/p>\n\n\n\n It’s not just CPE boxes with broken firmware\/configuration which have the problem of open resolvers, Shreshta<\/a> threat analysts have detected enterprise DNS resolvers, resolvers part of network operators and even a global coffee chain running an open resolver!<\/p>\n\n\n\n As a recursive resolver operator, below are some of the best practices that you should follow<\/p>\n\n\n\n We also urge recursive resolver & authoritative name server operators to explore KINDNS<\/a> – Stands for Knowledge-Sharing and Instantiating Norms for DNS and Naming Security. It’s a program supported by ICANN to develop and promote a framework that focuses on the most important operational best practices or concrete instances of DNS security best practices.<\/p>\n\n\n\n We have contacted higi[.]com as well as the DNS administrators of the global coffee chain to share our findings. <\/p>\n\n\n\n As seen in this post, it’s important to follow best practices to eliminate the risks of running an open resolver. <\/p>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n\n
Objective of the attack<\/h4>\n\n\n\n
A global coffee chain serving an open resolver \u2615<\/h4>\n\n\n\n
Best practices <\/h4>\n\n\n\n
\n
Recommended reading<\/h2>\n\n\n\n