We have an ongoing survey that looks for open DNS resolvers. A DNS resolver is open if it provides recursive name resolution for clients outside of its administrative domain. Open DNS resolvers are a bad idea for a few reasons:
As with open SMTP relays, open DNS resolvers are now being abused by miscreants to further pollute the Internet.
We send a DNS query to a target IP address for a name in the test.openresolvers.org domain. If our authoritative server for that domain receives the same query, the target IP address is running an open resolver.
Target IP addresses are tested no more than once every three days.
The list of target IP addresses comes from a few sources:
Please see our Open Resolver Check interface. Here you may enter your own IP address (or someone else's address) for immediate testing.
You may also use our Network Query tool to see a list of open resolvers on your network.
You may also query our DNSBL using the dnsbl.openresolvers.org zone. For example:
$ dig +short 220.127.116.11.dnsbl.openresolvers.org 127.0.0.2
A response of 127.0.0.2 means that the address in question is open for recursion. An ``NXDomain'' response means that the address is either not open, or has not been probed yet.
We also have an easy way for you to find out if your own local DNS resolver is open. If you have the dig command on your system, simply run:
$ dig +short amiopen.openresolvers.org TXTIf you're stuck with nslookup, try this:
$ nslookup > set type=TXT > amiopen.openresolvers.org
© 2013 The Measurement Factory.