Open DNS Resolver

KiKi · 13 February 2014 at 10:39PM

Hi everyone

I received a letter from Virgin Media to say that it seems my home network has an Open DNS Resolver.

Firstly, I have no idea what it means (and Virgin's letter clearly hasn't been written by someone who knows how to translate it into layman's speak!). However, I followed the letter's instructions to use a tool on the Thinkbroadband website to check if this is the case. And it is:

"Warning! We detected your IP address as <removed> and found an open DNS resolver running.

This may be either running on your computer or on your broadband router. It is advisable that you don't run a resolver which can be queried from the Internet. It is possible that you could be vulnerable to a DNS poisoning attack. More details are available in the CERT Advisory or you can carry out a more detailed test at doxpara.com or dns-oarc.net."

I have no idea what to do next. The letter offers two webpages to help - one which is not found, and one which presumes you have quite detailed understanding of this. Which I don't.

Could someone please advise if a) this is even a problem, and b) if it is, how to fix it? I'm not stupid, but I don't understand networking or web terms outside of the basic internet usage!

Would really appreciate any easy-to-understand help!

Thanks
KiKi

kwikbreaks · 13 February 2014 at 11:09PM

Sounds to me like you may have some malware running and although I'm certainly not the best to advise on that I'd suggest that you download and run MalwareBytes

What they are saying is that you have something running on your network that is acting as a DNS server which means you must have port 53 open to incoming requests on both the router and whatever machine the DNS software is running on which is very strange. I can only guess that the malware (assuming it is) has use UPnP to open the port. Disabling that on you router may stop it working.

I'm going to have a google as I've never heard o this sort of problem.

securityguy · 13 February 2014 at 11:12PM

KiKi wrote: »

Hi everyone

I received a letter from Virgin Media to say that it seems my home network has an Open DNS Resolver.

OK.

What that's saying is that on your home network, but accessible from the outside world, there is a resolver that will answer queries from anyone.

A resolver is a piece of software that answers name service lookups. You can ask it the question "IN A www.google.com?" and it will tell you the IP number(s) of https://www.google.com. You can ask it the question "IN MX gmail.com?" and it will tell you the names of the servers that accept mail on behalf of gmail.com. You can ask it the question "IN PTR 4.3.2.1.in-addr.arpa?" and it will tell you the name of the server that lives on IP number 1.2.3.4. It's the basis for DNS services.

The problem is that many resolvers were written in a kinder, gentler age. The resolvers that run on embedded devices like routers are not attuned to the modern, more aggressive Internet. They can be attacked, and attacked in bad ways.

Suppose I know that a user who currently holds IP number 5.6.7.8 is running an open resolver. Suppose I control a web server with the IP number 1.2.3.4. My attack is as follows.

I set up a DNS infrastructure such that one of my machines will answer queries of the form "IN A www.fiendishplottohackpeople.com?" It answers those queries by sending back an IP number (which is unimportant) and what is called "additional information". "Additional Information" is the old, kind Internet, where you help people because you're nice. Additional Information is "here's something I know, which you might like to know as well". So my server for DNS records for https://www.fiendishplottohackpeople.com also sends additional information: "www.popular-high-street-bank-one 604800 IN A 1.2.3.4", "www.popular-high-street-band-two 604800 IN A 1.2.3.4" and so on. The 604800 is one week in seconds: it means "hold on to this useful information for a week".

I now just send a single query to 5.6.7.8: "IN A www.fiendishplottohackpeople.com". That query is, eventually, resolved by my infrastructure, which sends back an IP number along with all that lovely additional information. The resolver will cache the whole response. The fiendishplot stuff? Who cares: you aren't going to look it up anyway. But for the next week, any time you look up the IP number for those High Street Banks, you're going to be routed to my servers. Yeah, I won't have certificates, but a lot of users don't check those, do they. And I might instead drive you to my version of Google, my version of MSE, my version of GMail...

Now proper resolvers reject these attacks. They either discard all additional information, or they have complex rules about "out of balliwick" responses which make them much, much picker about accepting it. So they would reject out of hand an attempt by fiendishplottohackpeople.com to tell them about google, or High Street Banks, because they have no reason to know. But the little embedded resolver in an old router? Not so funny.

Now there are attacks on _non_ open resolvers too, which are known as Kaminsky Attacks. But they are harder, and require quite a lot of luck to succeed: they're also much more dangerous against busy resolvers at the edge of corporate networks, to the point that anyone trying to use them against home users would have to be desperate. An open resolver old enough to accept out of balliwick additional information is just gagging to be subverted.

securityguy · 13 February 2014 at 11:17PM

So the next question is "what is running this"? How complex is your home network? Someone who does Windows will translate if necessary, but in Mac land you need to run "dig @192.168.1.1 www.google.com" against every active IP number on your home network and see which of them respond. Then from outside your firewall (use 3G connection or WiFi in a cafe or your next door neighbours' network or something) run "dig @1.2.3.4 www.google.com" (where 1.2.3.4 is the external IP number of your router) and compare the result. You should be able to spot the machine that's running the resolver that's being exposed, and then figure out why.

debitcardmayhem · 13 February 2014 at 11:26PM

In windows you could use nslookup -querytype=TXT -timeout=10 porttest.dns-oarc.net 8.8.8.8
edited just added the google dns server as the server 8.8.8.8
result looks like this

C:\Users\rob>nslookup -querytype=TXT porttest.dns-oarc.net 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
porttest.dns-oarc.net   canonical name = porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.
j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net
text =

        "74.125.17.150 is GREAT: 6 queries in 55.1 seconds from 6 ports with std
 dev 12089"

To run this in windows select run then type cmd and type the nslookup in the black window it gives you.

securityguy · 13 February 2014 at 11:32PM

debitcardmayhem wrote: »

In windows you could use nslookup -querytype=TXT -timeout=10 porttest.dns-oarc.net

That isn't sufficient: you need to be able to direct the query to a specific (conjectured) resolver. "dig @1.2.3.4 www.google.com" explicitly asks the resolver at IP number 1.2.3.4 the question "IN A www.google.com?"

Edit to add:

nslookup www.google.com 1.2.3.4

does the right thing.

debitcardmayhem · 13 February 2014 at 11:39PM

securityguy wrote: »

That isn't sufficient: you need to be able to direct the query to a specific (conjectured) resolver. "dig @1.2.3.4 www.google.com" explicitly asks the resolver at IP number 1.2.3.4 the question "IN A www.google.com?"

I amended my post to show the resolver (in my case I used google) the OP needs to change 8.8.8.8 to their ip addresses

KiKi · 13 February 2014 at 11:40PM

Thank you for the replies and your trying to explain it to me.

Unfortunately saying to me "run xxx against IP..." or "you have port 53 open" means absolutely nothing to me! I don't know what those things are, nor what to do to make it do that!!

Is there a web page that could explain to me in literally "type the following words into your URL bar" or something that I could follow?

If it helps, I have a one year old HP laptop, a brand new HTC phone, a brand new Nexus in terms of devices. I use a router that's probably four or five years old, maybe more, and a Virgin modem that's about 7 years old. Could I just solve the problem by replacing something?!

Sorry for sounding stupid, but I don't live in the techie world so your words don't translate to anything meaningful in my brain!!

Thank you for trying to help me, though.

KiKi

debitcardmayhem · 13 February 2014 at 11:48PM

Do you also have smart TVs or other boxes connected to your router ?

securityguy · 13 February 2014 at 11:57PM

Is there a web page that could explain to me in literally "type the following words into your URL bar" or something that I could follow?

Not easily. It's quite a complex and unusual problem.

As a starting point:

Visit http://www.whatismyip.com and note down what your IP number is.

Then visit http://network-tools.com/nslook/ and paste your IP number into the "server" box, tick the "advanced output" box, and then hit "go".

Paste the output into a reply to this message.

KiKi · 14 February 2014 at 12:01AM

debitcardmayhem wrote: »

Do you also have smart TVs or other boxes connected to your router ?

I don't have a smart TV; I have Virgin Media, but not TiVo, so I'm not sure if that uses the internet to access TV services, or if it's run through cable? I'm pretty sure it's cable, as my TV services work if the internet's down, and I don't link it to the router at all.

Nothing else is connected to the router.

Just ran an anti-virus which found and removed two pieces of 'adware' (whatever that is).

Malwarebytes has found 19 objects, so I'm just following the instructions to remove them now...

KiKi

Open DNS Resolver

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free