Comments on: The Trouble with Open DNS Resolvers

By: Olaf van der Spek

Olaf van der Spek — Mon, 18 Mar 2013 16:46:31 +0000

I’m pretty sure Google’s DNS services aren’t as easy to abuse as the open DNS services run by your customers. What % of open DNS services of your customers is intended to be open and abusable?

I assume the majority isn’t, which begs the question why they’re still open and being abused (after 4 months).

By: Kevin Hazard

Kevin Hazard — Mon, 18 Mar 2013 16:29:26 +0000

Are you asking the first question rhetorically? If it's a serious question, the way Google describes how they built Google Public DNS gives some insight into how they implemented several recommended solutions to help guarantee the authenticity of the responses Google Public DNS receives from other nameservers. The valid use of an open DNS resolver is to allow users to resolve DNS over the public Internet.

By: Olaf van der Spek

Olaf van der Spek — Sat, 16 Mar 2013 12:54:29 +0000

How does one stop an open DNS resolver from being abused?
And what are valid uses of an open DNS resolver?

By: Kevin Hazard

Kevin Hazard — Fri, 15 Mar 2013 18:08:48 +0000

As I suggested in my previous comment, every aspect of a hosting environment *can* be abused. Email “can and will be abused” by hackers and spammers, but SoftLayer still allows our customers to use email services.

If open DNS resolvers were used exclusively for abuse, they would be forbidden on our network. Because open DNS resolvers have valid uses, we can advise customers to use private DNS resolvers (like the ones SoftLayer provides to our customers for free) but we don’t force the open DNS resolvers to be closed simply because have potential for abuse.

Our terms of service state that any abusive behavior on the SoftLayer network is forbidden. Regardless of whether a customer is direct or indirect, if our abuse team is alerted to abusive activity coming from any server on our network, they take action to stop that activity.

By: Olaf van der Spek

Olaf van der Spek — Thu, 14 Mar 2013 19:14:27 +0000

Open (unprotected) DNS resolvers can and will be abused, right?
It kinda sounds like you’re saying that’s okay, sometimes, maybe.

Such abuse is NOT okay, even if such services are run by indirect customers.

By: Kevin Hazard

Kevin Hazard — Thu, 14 Mar 2013 18:49:22 +0000

The majority of the open DNS resolvers are not being operated by SoftLayer’s direct customers, so while we actively encourage our customers to advise their customers on better ways to handle their DNS resolvers, we don’t communicate with the end users directly. As Ryan mentions in this blog, the users most likely to run open DNS resolvers are less-technical shared hosting customers who rent a piece of a server from a reseller who might still be disconnected from SoftLayer by layers of other customers. There are certainly people who believe that open DNS resolvers should be left open for the good of the Internet, but typically, open DNS resolvers are operated by users who don’t want to lock themselves out of their DNS by misconfiguring access.

Any hosting service can be abused … Every email address is a potential source of spam, and every server is a potential target for a hacker looking to break in and put up a phishing site to steal credit card information. It is specifically *because* we host “abusable” services that we have a full abuse team to investigate and take action if we notice or are contacted about any abuse from our network.

By: Olaf van der Spek

Olaf van der Spek — Thu, 14 Mar 2013 17:54:59 +0000

Wouldn’t a link to a single well-written document explaining all that be enough for your customers to understand it and to deal with the problem?

I understand you can’t simply suspend their servers, but now you’re basically knowingly hosting abusable services, right?

By: Kevin Hazard

Kevin Hazard — Thu, 14 Mar 2013 17:49:22 +0000

Finding open DNS resolvers on the network is not the challenge … The challenge is getting customers who operate open DNS resolvers to understand what they are, why they’re not advised and what they can do to avoid them. For self-managed dedicated and cloud services on SoftLayer’s network, our team doesn’t configure or change our customers’ environments, so we don’t have direct access to close those DNS resolvers.

By: Olaf van der Spek

Olaf van der Spek — Thu, 14 Mar 2013 13:43:50 +0000

Hi Ryan,

Can’t you actively scan for open DNS resolvers on your network? The bad guys certainly managed to find them, can’t you?

By: Rob

Rob — Thu, 29 Nov 2012 17:44:47 +0000

If you have problems with OpenDNS, try SafeDNS (the same idea behind) http://www.safedns.com