Going Wild: Large-Scale Classification of Open DNS Resolvers

Marc Kührer, Thomas Hupperich, Jonas Bushart, Christian Rossow, Thorsten Holz

15th ACM In­ter­net Me­a­su­re­ment Con­fe­rence (IMC), Tokyo, Japan, Oc­to­ber 2015


Since se­ver­al years, mil­li­ons of re­cur­si­ve DNS re­sol­vers are-de­li­be­ra­te­ly or not-open to the pu­blic. This, howe­ver, is coun­ter-in­tui­ti­ve, since the ope­ra­ti­on of such open­ly ac­ces­si­ble DNS re­sol­vers is ne­cessa­ry in rare cases only. Fur­ther­mo­re, open re­sol­vers enable both am­pli­fi­ca­ti­on DDoS and cache sno­o­ping at­tacks, and can be abu­sed by at­ta­ckers in mul­ti­ple other ways. We thus find open re­cur­si­ve DNS re­sol­vers to re­main one cri­ti­cal phe­no­men­on on the In­ter­net.

In this paper, we il­lu­mi­na­te this phe­no­men­on by ana­ly­zing it from two dif­fe­rent angles. On the one hand, we study the land­scape of DNS re­sol­vers based on em­pi­ri­cal data we collec­ted for over a year. We ana­ly­ze the chan­ges over time and clas­si­fy the re­sol­vers ac­cor­ding to de­vice type and soft­ware ver­si­on. On the other hand, we take the view­point of a cli­ent and me­a­su­re the re­s­pon­se au­then­ti­ci­ty of these re­sol­vers. Be­si­des le­gi­ti­ma­te re­di­rec­tions (e.g., to cap­ti­ve por­tals or rou­ter login pages), we find mil­li­ons of re­sol­vers to de­li­be­ra­te­ly ma­ni­pu­la­te DNS re­so­lu­ti­ons (i.e., re­turn bogus IP ad­dress in­for­ma­ti­on). To un­der­stand this thre­at in more de­tail, we sys­te­ma­ti­cal­ly ana­ly­ze non-le­gi­ti­ma­te DNS re­s­pon­ses and re­veal open DNS re­sol­vers that ma­ni­pu­la­te DNS re­so­lu­ti­ons to cen­sor com­mu­ni­ca­ti­on chan­nels, in­ject ad­ver­ti­se­ments, serve ma­li­cious files, per­form phis­hing, or re­di­rect to other kinds of sus­pi­cious or ma­li­cious ac­tivi­ties.


tags: Device Fingerprinting, DNS Resolvers, Internet-wide Scanning, Measurements