Table of Contents

Problems with Open DNS Resolver

Problem Overview

An Open DNS resolver is when the Caching recursive DNS server provides recursive name resolution service to the public (subjects not limited), which may cause the following problems:

  1. Exposure to the outside world, making it is easy to be attacked or lose system and network resources.
  2. Occurrence of cache poison.
  3. Easy to be used by the outside world and become a member of DDoS cyber attacks.

Detection system

We developed an open DNS resolver detection system to prevent the open DNS resolver problem and help handle computers on campus with incorrect settings, so that they are not exploited by attackers to launch cyber attack. Detection results are provided to network administrators of each unit, so that they may forward the information and suggested methods to users to correct settings, or inspect if the problem was solved. We hope that this will reduce the number of computers with open DNS resolver on campus.

Real-time Detection Service

We developed this detection service to make it easier for NTHU users to detect whether their computers or network devices have an open DNS resolver. At present, only NTHU IP addresses can use the detection service. 2013/08/30 online trial)

Detect open DNS server IP address: . . .  

Detection results

Suggested method

Windows 7

A. Disable Windows 7 (ICS) service to prevent DNS service

B. Use a firewall to block DNS service

C. Find the corresponding program of DNS service and close it

  1. Execute CMD as system administrator, as shown in the figure below
  2. Execute the netstat -ab -p UDP command. Using the box below as an example, find UDP 0.0.0.0:53 (indicates that it provides DNS service), which corresponds to the component XXXXX and the program [yyyy.exe].
    C:\Windows\system32>netstat -ab -p UDP
    
    使用中連線
    
      協定   本機位址               外部位址               狀態
      UDP    0.0.0.0:500            *:*
      IKEEXT
     [svchost.exe]
    ...
      UDP    0.0.0.0:53             *:*
      XXXXX
     [yyyyy.exe]
    ...
    • For example, the figure below shows that the component SharedAccess and the program svchosts.exe is what causes open DNS resolver. Users should determine whether or not the program and its settings can be terminated.