The study collected data from the entire IPv4 address space, identifying approximately 25 million open DNS resolvers out of 30 million DNS server addresses. The findings indicate that these open resolvers are often associated with spammer-favored domains, with China, the USA, and Mexico being the top holders. Additionally, it highlights that DNSSEC may increase the amplification ratio of DNS amplification attacks.

1. Measurement Study of Open
Resolvers and DNS Server Version
Internet Conference 2013
Yuuki Takano, Ruo Ando, Takeshi Takahasi, (NICT)
Satoshi Uda, Tomoya Inoue (JAIST)
1

2. Summary
n Probed whole IPv4 address space to collect open
resolvers
n Collected about 30 millions of DNS server
addresses
n Found about 25 millions of open resolver
n Analyzed by reversely looking up, geographically
mapping
2

3. Related Work
DNS Amplification Attack
n DNS Servers are abused to launch DDoS attack
n abused as reflectors and amplifiers
n query and response message sizes are quite different
3
DNS Servers, aka. Open Resolvers
VictimAttacker
ANY Queries
Spoofed Src

4. Measurement Strategy
n At first, send DNS A query without RD flag to collect
DNS servers on the Internet
n if a DNS server returned response with RA flag, it is
open resolver
n otherwise, it isn’t open resolver
n After probing DNS servers by A query, then send query
of VERSION.BIND
n Furthermore, look reversely up DNS servers’ IP address
4

5. Measurement Architecture
5
In this section, we present our methodology to mea-
sure DNS servers on the Internet. Figure 1 shows the
architecture of the DNS server measurement system
we designed and implemented. It consists of 4 com-
ponents as follows.
The Internet
DB
DNS Prober
Reverse
Lookupper
A Query and
VERSION.BIND
Response
Statistical
Analyzer
Reverse Lookup
Result
Figure1 DNS Measurement System Architecture
rec
ple
Mo
St
A
the
lyz
by
Jav
we
W
ou
me
DN

6. Measurement Target
and Source
n Target: whole IPv4 address space
n Source: JAIST’s server
n Date: July, 2013
n Measurement Time
n A query and VERSION.BIND query: about 1 day
n reverse lookup: about 5 days
n statistical analysis: few hours
n PC Spec
n KVM Virtual Machine, 2 CPU, 4GB Memory
n Hyper Visor, Intel Xeon 2GHz x 32,
6

7. DNS Servers and VERSION.BIND
7
Table2 Types of DNS Servers
Total APNIC RIPE ARIN LACNIC AFRINIC other
Type of DNS # # # # # # #
BIND 9.x 4268442 806357 1530177 1126501 169268 121556 514583
† 1851362 551458 781954 176399 94385 117906 129260
BIND 8.x 35218 4588 21348 6663 974 32 1613
† 30444 4202 18958 5186 854 31 1213
BIND 4.x 3486 121 2751 440 43 0 131
† 2765 93 2256 348 11 0 57
Dnsmasq 1308653 692042 216273 75201 226880 32676 65581
† 1308381 692026 216028 75196 226877 32676 65578
Nominum Vantio 968041 553404 284852 20142 21205 70861 17577
† 967044 552650 284782 20125 21200 70736 17551
Nominum ANS 687 18 34 79 42 2 512
† 13 2 0 0 11 0 0
PowerDNS 373588 14215 329994 14360 2952 91 11976
† 372684 14207 329116 14354 2952 91 11964
Unbound 71781 16230 43507 6941 1510 1585 2008
† 23220 3281 14398 4638 315 312 276
NSD 33933 1731 11077 17182 322 13 3608
† 17 5 5 2 1 0 4
Windows series 11698 184 1077 85 10312 0 40
† 11342 129 865 67 10257 0 24
can’t detect 8281885 4012525 2367711 429450 690618 279903 501678
† 7658656 3911886 2118455 244682 670597 278183 434853
no version info 14927910 3457029 4505928 1442348 4025325 699029 798251
† 12746062 3050589 3465814 1179188 3919438 668399 462634
Total 30285322 9558444 9314729 3139392 5149451 1205748 1917558
† 24971990 8780528 7232631 1720185 4946898 1168334 1123414
†: open resolver
†: open resolver

8. Version Distribution of BIND 9.x
8
Latest Versions:
9.9.3- P2
9.8.5-P2
9.7.7 (EOL)
9.6-ESV-R9-P1

9. 1st-to-3rd Level Domain
Distribution of Open Resolver
9

10. Spammer Favored Domains
10
n Spamology: A Study of Spam Origins, Craig et.al.,
CEAS 2009
n TOP 2 origins of spam mail
n hinet.net
n 163data.com.cn

11. 1st-to-3rd Level Domain Distribution
of Open Resolver in JP TLD
11

12. Country Distribution
by GeoIP Lite
12

13. Heat Map of Open Resolver
13

14. ANY Query and Detail
14
tribution of Nominum Vantio (All)
Table3 Details of DNS Answer Section of Re
sponse for ANY Query
isc.org ripe.net
RRSIG 1965 1304
DNSKEY 427 848
NSEC 53 38
SPF 112 -
TXT 181 -
NS 97 136
NAPTR 46 -
A 16 16
AAAA 28 28
MX 24 50
SOA 54 52
Total 3005 2472
(bytes)
n ANY query is used to launch DNS
amplification attack
n Amplification ratio
n isc.org: request 64 bytes,
response 3,245 bytes, ratio
50.7
n ripe.net: request 65 bytes,
response 2,669 bytes, ratio
41.0
n Records of DNSSEC account for
majority of response

15. DNSSEC Considered Harmful?
n DNSSEC protect users from DNS injection attack
n Great firewall in China, “The Collateral
Damage of Internet Censorship by DNS
Injection”, anonymous authors, SIGCOMM
2012
n However, DNSSEC bursts ratio of DNS
amplification attack
n Is this trade off? Exclusive?
15

16. Conclusion
n Collected 30 millions DNS servers and 25 millions
of open resolvers
n Revealed there are many open resolvers on
spammer favored domains
n Revealed China, USA and Mexico are TOP 3
holders of open resolvers
n DNSSEC significantly increases amplification ratio
of DNS amplification attack
16

17. EOF
17