Warning

The following text describes past open DNS resolver surveys and an associated DNS lookup service that has been long shut down. The text below is preserved here for historical reasons only. Measuremrent Factory has never operated an email blacklist and no longer provides a lookup service that can be abused by others for blocking emails.

If your email is being blocked, please contact the service blocking it. It is not us, even if the blocking message refers to an openresolvers domain mentioned on this page.

---

About

We have an ongoing survey that looks for open DNS resolvers. A DNS resolver is open if it provides recursive name resolution for clients outside of its administrative domain. Open DNS resolvers are a bad idea for a few reasons:

• They allow outsiders to consume resources that do not belong to them.
• Attackers may be able to poison the cache of an open resolver.
• Open resolvers are being used in widespread DDoS attacks with spoofed source addresses and large DNS reply messages.

As with open SMTP relays, open DNS resolvers are now being abused by miscreants to further pollute the Internet.

Testing Methodology

We send a DNS query to a target IP address for a name in the test.openresolvers.org domain. If our authoritative server for that domain receives the same query, the target IP address is running an open resolver.

Target IP addresses are tested no more than once every three days.

The list of target IP addresses comes from a few sources:

• Known recursive nameservers. If your recursive nameserver queries one of our authoritative nameservers, we'll test it. Please contact us (info at measurement-factory.com) if you are interested in providing a feed of target IP addresses from your own authoritative nameservers.
• Known authoritative nameservers.
• The database lookup web interface (see below).

Database Lookup

Web-based

Please see our Open Resolver Check interface. Here you may enter your own IP address (or someone else's address) for immediate testing.

You may also use our Network Query tool to see a list of open resolvers on your network.

DNS-based

You may also query our DNSBL using the dnsbl.openresolvers.org zone. For example:

    $ dig +short 2.2.2.4.dnsbl.openresolvers.org
    127.0.0.2

A response of 127.0.0.2 means that the address in question is open for recursion. An ``NXDomain'' response means that the address is either not open, or has not been probed yet.

We also have an easy way for you to find out if your own local DNS resolver is open. If you have the dig command on your system, simply run:

    $ dig +short amiopen.openresolvers.org TXT

If you're stuck with nslookup, try this:

    $ nslookup
    > set type=TXT
    > amiopen.openresolvers.org

Daily AS Number Reports

We have an archive of daily reports showing the number of open resolvers for each Autonomous System number. Here is the most recent report.

Additional Resources

• Self-Service Open Resolver Scanning from Verisign
• Open Resolver Project
• ICANN Security Advisory
• A thread on the NANOG list that discusses the attack
• Archives of the dns-operations list
• A paper describing the attack

© 2020 The Measurement Factory.