Home page logo

nanog logo nanog mailing list archives

Open Resolver Dataset Update
From: Jared Mauch <jared () puck nether net>
Date: Sun, 7 Apr 2013 13:46:14 -0400

I've continued to update my dataset originally posted about two weeks ago.  Please take a moment and review your CIDRs 
which may be running an open resolver.

I've exposed one additional bit in the user-interface that may be helpful.  Some DNS servers will respond with RCODE=0 
(OK) but not provide recursion.  nearly 90% of the servers in the database provide recursion.

Some raw stats are also available via the 'breakdown' link on the main site.

If you operate a DNS server, or have an internal group that does, please take a moment and review your networks.

If you email me in private from a corporate address for your ASN, I can give you access to a per-ASN report.

Due to a change in methodology, I have increased the number of servers observed from 27.2 million to 30.2 million hosts.

2013-04-07 results

30269218 servers responded to our udp/53 probe
731040 servers responded from a different IP than probed
25298074 gave the 'correct' answer to my A? for the DNS name queried.
13840790 responded from a source port other than udp/53
27145699 responses had recursion-available bit set.
2761869 returned REFUSED

In addition, please do continue to deploy BCP-38 to prevent spoofing wherever possible.  I know at $dayjob we have been 
auditing this and increased the number of customer interfaces that can not spoof.

- Jared

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]