The Shadowserver Foundation

Open Resolver Scanning Project

If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or querying your DNS server(s).

The Shadowserver Foundation is currently undertaking a project to search for publicly available recursive DNS servers. The goal of this project is to identify DNS servers that will send a reply to any IP address for domains that the DNS server is not authoritative for and report them back to the network owners for remediation.

These servers have the potential to be used in DNS amplification attacks and if at all possible, we would like to see these services made un-available to miscreants that would misuse these resources.

Servers that are configured this way have been incorporated into our reports and are being reported to the network owners on a daily basis.

If you would like more information on DNS amplification attacks and some tips on how to disable open recursion, take a look at the US-CERT alert TA13-088A at: http://www.us-cert.gov/ncas/alerts/TA13-088A

Further information on UDP-based amplification attacks in general can be found in US-CERT alert TA14-017A at: https://www.us-cert.gov/ncas/alerts/TA14-017A

Methodology

We are querying all computers with routable IPv4 addresses that are not firewalled from the internet on port 53/udp with a request for the "A" record of "dnsscan.shadowserver.org" (this host), capturing the response from the DNS server and parsing the result. We intend no harm, but if we are causing problems, please contact us at gro [tod] revfooreswodahs [ta] nacbarssnd

If you would like to test your own device to see if it supports open recursion, try using the command: "dig +short @[IP] dnsscan.shadowserver.org" from computer that does *not* use the IP listed in the command as it's authorative DNS server. If the device does support open recursion, you should see the IP address of dnsscan.shadowserver.org returned as the result.

Whitelisting

To be removed from this set of scanning you will need to send an email to dnsscan [at] shadowserver [dot] org with the specific CIDR's that you would like to have removed. You will have to be the verifiable owner of these CIDR's and be able to prove that fact. Any address space that is whitelisted will be publicly available here: https://dnsscan.shadowserver.org/exclude.html

Useful Links

Scan Status

Statistics on Current Run

Other Statistics

If you would like other statistics and information on historical trends, please take a look at: https://dnsscan.shadowserver.org/stats/. Otherwise, stats from the most current scan are listed below.


Recursive DNS Servers

Open Resolvers

(Click image to enlarge)

These are the 10 million openly recursive servers

If you would like to see more regions click here

Non-Recusive DNS Servers

Non-Open Resolvers

(Click image to enlarge)

These are the 5 million hosts that did not recurse

If you would like to see more regions click here

Possible 10x Amplifiers

Possible Amplifiers

(Click image to enlarge)

These are the hosts that appear to provide 10 times (or more) amplification

If you would like to see more regions click here

Recursive DNS Servers

Open Resolvers

(Click image to enlarge)

These are the 10 million openly recursive servers

Non-Recusive DNS Servers

Non-Open Resolvers

(Click image to enlarge)

These are the 4.5 million hosts that did not recurse

Possible 10x Amplifiers

Possible Amplifiers

(Click image to enlarge)

These are the hosts that appear to provide 10 times (or more) amplification



If you would like us to not scan your network, please let us know and we will remove your networks from the scan.

Likewise, if you have anymore questions please feel free to send us an email at: gro [tod] revfooreswodahs [ta] nacbarssnd

The Shadowserver Foundation