On 3/29/13, Scott Noel-Hemming <frogstarr78@gmail.com> wrote:
Some of us have both publicly-facing authoritative DNS, and inward facing recursive servers that may be open resolvers but can't be found via NS entries (so the IP addresses of those aren't exactly publicly available info). Sounds like your making the faulty assumption that an attacker would use normal means to find your servers.
A distributed scan of the entire IPv4 space for all internet IPs running open DNS servers is fairly doable; actually a long term scan taking 100 to 200 days of continuous DNS scanning is completely trivial. The fact a recursive DNS server exists at a certain IP address can also be exposed to the operators of authoritative (or root) DNS servers, through the queries that the recursive servers make. For example: an internet advertiser can place syndicated ads on certain websites, containing images referring to a server on their domain (that requires resolving their domain), and then mine data from the IP addresses that are contacting their authoritative DNS servers in order to make queries. For some domains, the authoritative DNS servers might even want to ping the recursor, and use the result to decide what set of answers to send for future queries, in order to reply with choices that are anticipated to minimize latency. -- -JH