

Good Web Security News: Open DNS Resolvers Are Getting Closed - jgrahamc
http://blog.cloudflare.com/good-news-open-dns-resolvers-are-getting-clos

======
tomku
What's the impact of this kind of thinking on intentionally "misconfigured"
DNS resolvers like Google Public DNS, OpenDNS, etc? Is CloudFlare pushing for
a world where I have no choice but my ISP's DNS servers, which return their
advertising server's IP instead of NXDOMAIN?

~~~
agwa
Google Public DNS uses rate limiting and some heuristics to reduce the
likelihood of being used in a DNS amplification attack [1]. I presume OpenDNS
does something similar.

Even if public DNS resolvers didn't exist, you could still run your own
private recursive name server (either on your computer or on your home router)
and avoid your ISP's. That's what I do.

[1] [https://developers.google.com/speed/public-
dns/docs/security...](https://developers.google.com/speed/public-
dns/docs/security#rate_limit)

------
marssaxman
It's still sad that we lost open SMTP relays. It's sad that we're losing open
DNS resolvers too. Shame to see the internet continue to get more locked down
and less open.

~~~
devicenull
It's not sad. We routinely see multi-gigabit DDoS attacks using open DNS
servers as relays. If they all disappeared, I'd be quite happy!

~~~
lostnet
I used to find it quite handy to query the DNS of a customer's ISP, etc, when
debugging.

I think a better long term solution is moving to transport protocols like SCTP
and choosing cookies that put computational burden on the initiator. Of course
it would make the mobile sector unhappy.

------
marshray
Why does the attacker need an open resolver, couldn't an authoritative DNS
server be used as an attack amplifier too?

Is the next logical step going to be war on "open" authoritative DNS servers?

~~~
agwa
Wow, that's a really good question. Thinking about this a bit, I don't _think_
authoritative servers pose as big of a problem in practice. DNS amplification
attacks require that the size of the response be much larger than the size of
the query (which is why it's an "amplification" attack). Right now
amplification attacks query for the same large response via lots of different
open resolvers. However, I suspect the majority of authoritative servers out
there only ever return small responses, which would limit the number of
servers an attacker could use in an amplification attack. Furthermore, the
attacker would need to tailor a specific query for each server rather than
using the same query for all of them, making the attack more difficult to pull
off.

