On Mar 31, 2013, at 5:09 PM, Jimmy Hess <mysidia@gmail.com> wrote:
On 3/29/13, Scott Noel-Hemming <frogstarr78@gmail.com> wrote:
Some of us have both publicly-facing authoritative DNS, and inward facing recursive servers that may be open resolvers but can't be found via NS entries (so the IP addresses of those aren't exactly publicly available info). Sounds like your making the faulty assumption that an attacker would use normal means to find your servers.
A distributed scan of the entire IPv4 space for all internet IPs running open DNS servers is fairly doable; actually a long term scan taking 100 to 200 days of continuous DNS scanning is completely trivial.
I updated the openresolverproject.org data in less than 8 hours. The system would scan 1.0.0.0 , 1.0.0.1 … in sequence. Next time it runs, it's going to use a slightly different method which may expose a few more servers. The 2013-Mar-31 data showed: 2,471,484 servers returned refused. (369k change downward) 20,675,738 with correct answer in packet. If I extrapolate 369k/week closing, everything will be closed in about a year. (Compared to 2.1 mil refused the week before; compared to 21.4 Million with correct answer in packet the week before). I know many people are working on their respective hosts and/or network to close things down. Many thanks to everyone that is treating this as a critical issue to close these hosts. - jared