{"id":1265,"date":"2018-07-12T20:33:16","date_gmt":"2018-07-12T20:33:16","guid":{"rendered":"https:\/\/warp.lacnic.net\/?page_id=1265"},"modified":"2020-09-15T17:48:13","modified_gmt":"2020-09-15T14:48:13","slug":"dns-open-resolvers-con-ipv6","status":"publish","type":"page","link":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-con-ipv6","title":{"rendered":"IPv6 DNS Open Resolvers"},"content":{"rendered":"<div id=\"wrapper-dns-open\"><input id=\"input_ip\" type=\"text\" placeholder=\"Ingrese direcci\u00f3n IPv6\"><button id=\"get-data\">Test<\/button><\/div>\n<div id=\"show-data\">&nbsp;<\/div>\n<div class=\"wrapper-dns-inf\">\n<p>Together with LACNIC\u2019s R+D department, LACNIC CSIRT is carrying out the \u201cOpen DNS Resolvers with IPv6\u201d project to understand the current situation in the region, identify open resolvers, and proactively warning and recommending a possible correction to the configuration of this service.<\/p>\n<p>Open DNS Resolver servers are very negative, both for the organization with the open service as well as for Internet security in general. This type of server is used as a vector for DDoS amplification attacks, as they allow small queries to cause much larger responses. Thus, a DNS server becomes a very powerful traffic magnifier: amplified responses can be directed to a specific IP address, which receives the entire volume of traffic and becomes unable to provide any services. In this type of attacks, it is not even necessary for the attacker to control the victim\u2019s hardware.<\/p>\n<p>A recursive DNS server should only respond to queries from clients that are within its own network, rejecting any others.<\/p>\n<\/div>\n<p><a name=\"solucionarlo\"><\/a><\/p>\n<h3><i class=\"fa fa-unlock dns-open\"><\/i><br \/>\n<a id=\"incorrecto\"><\/a>How to solve this issue<\/h3>\n<p>We strongly recommend reconfiguring DNS\/Resolver servers. A few ways to do this is listed below:<\/p>\n<p><strong>*<\/strong> * Respond only to your clients and not to queries coming from IP addresses outside your network (in BIND, this is done by defining a limited group of computers in the \u201callow-query\u201d rule). For example:<\/p>\n<div class=\"alert alert-dark\"><em>options {<br \/>\nallow-query {<br \/>\n192.168.196.0\/24;<br \/>\n2001:db8::\/32;<br \/>\nlocalhost;<br \/>\n} \/\/ end of allow-query<br \/>\n} \/\/ end of options<\/em><\/div>\n<p><strong>*<\/strong>Serve only domains that are part of your authoritative zone (in BIND, this is done by defining a limited set of hosts in the \u201callow-query\u201d rule for the server in general but setting \u201callow-query\u201d to \u201cany\u201d for each zone). For example:<\/p>\n<div class=\"alert alert-dark\"><em>zone \u201cexample.com\u201d{<br \/>\ntype master;<br \/>\nfile \u201cexample.com.db\u201d;<br \/>\nallow-query {<br \/>\n192.168.196.0\/24;<br \/>\n2001:db8::\/32;<br \/>\nlocalhost;<br \/>\n} \/\/ end of allow-query<br \/>\n} \/\/ end of zone example.com<\/em><\/div>\n<p>In unbound, the same behavior can be achieved by using the access-control directive in the unbound.conf file. This is what it would look like:<\/p>\n<div class=\"alert alert-dark\"><em>server:<br \/>\naccess-control: 2001:db8::\/32 allow<\/em><\/div>\n<p>In addition, if your company is an ISP, please verify the configuration of your network and be sure not to allow spoofed traffic (traffic disguised to look like it was sent by external IP addresses) to leave your network. The networks and devices that allow spoofed traffic (traffic with fake IP addresses) allow this and other types of attacks.<br \/>\n<i class=\"fa fa-lock dns-close\"><\/i><i class=\"fa fa-unlock dns-open\"><\/i><br \/>\n<a name=\"identificar\"><\/a><\/p>\n<div class=\"wrapper-dns-inf\">\n<h3><a id=\"correcto\"><\/a>How to identify an Open DNS Resolver on IPv6<\/h3>\n<p>Open Resolvers or DNS servers are very easy to identify in the world of IPv4. Because IPv4 space is quite small (2**32), it is relatively simple to run these IPv4 address tests for IPv4 addresses.<\/p>\n<p>In the world of IPv6, it is virtually impossible to verify each IP address and run an Open Resolver test. This test might last thousands of years and would likely to not be very useful once completed.<\/p>\n<p>LACNIC manages a Reverse Root Server, specifically a \u201cD\u201d root server, i.e., d.ip6-servers.arpa. Many reverse IP address lookups from the LACNIC region are done through this server. Generally speaking, this server ONLY receives queries from DNS servers. This is where they obtain the IPv6 addresses for the DNS that perform queries.<\/p>\n<p>Identification is achieved by querying DNS servers for a domain name. If the DNS server returns a valid response, then it is considered an Open Resolver. On the contrary, if the query is refused, or if it simply times out, it is well-configured, and is not an Open Resolver.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Test &nbsp; Together with LACNIC\u2019s R+D department, LACNIC CSIRT is carrying out the \u201cOpen DNS Resolvers with IPv6\u201d project to understand the current situation in the region, identify open resolvers, and proactively warning and recommending a possible correction to the configuration of this service. Open DNS Resolver servers are very negative, both for the organization [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-1265","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>LACNIC CSIRT - IPv6 DNS Open Resolvers<\/title>\n<meta name=\"description\" content=\"The main purpose of the project is to alert and recommend possible corrections for DNS Resolvers on IPv6.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-con-ipv6\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"LACNIC CSIRT - IPv6 DNS Open Resolvers\" \/>\n<meta property=\"og:description\" content=\"The main purpose of the project is to alert and recommend possible corrections for DNS Resolvers on IPv6.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-con-ipv6\" \/>\n<meta property=\"og:site_name\" content=\"LACNIC CSIRT\" \/>\n<meta property=\"article:modified_time\" content=\"2020-09-15T14:48:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/csirt.lacnic.net\/wp-content\/uploads\/lacnic-csirt-2020.png\" \/>\n\t<meta property=\"og:image:width\" content=\"680\" \/>\n\t<meta property=\"og:image:height\" content=\"330\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@lacnic_csirt\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/dns-open-resolvers-con-ipv6\",\"url\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/dns-open-resolvers-con-ipv6\",\"name\":\"LACNIC CSIRT - IPv6 DNS Open Resolvers\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/#website\"},\"datePublished\":\"2018-07-12T20:33:16+00:00\",\"dateModified\":\"2020-09-15T14:48:13+00:00\",\"description\":\"The main purpose of the project is to alert and recommend possible corrections for DNS Resolvers on IPv6.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/dns-open-resolvers-con-ipv6#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/dns-open-resolvers-con-ipv6\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/dns-open-resolvers-con-ipv6#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Portada\",\"item\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"IPv6 DNS Open Resolvers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/\",\"name\":\"LACNIC CSIRT\",\"description\":\"Incident Response Center - LACNIC CSIRT\",\"publisher\":{\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/#organization\",\"name\":\"LACNIC CSIRT\",\"url\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/csirt.lacnic.net\\\/wp-content\\\/uploads\\\/lacnic-csirt-2020.png\",\"contentUrl\":\"https:\\\/\\\/csirt.lacnic.net\\\/wp-content\\\/uploads\\\/lacnic-csirt-2020.png\",\"width\":680,\"height\":330,\"caption\":\"LACNIC CSIRT\"},\"image\":{\"@id\":\"https:\\\/\\\/csirt.lacnic.net\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/lacnic_csirt\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"LACNIC CSIRT - IPv6 DNS Open Resolvers","description":"The main purpose of the project is to alert and recommend possible corrections for DNS Resolvers on IPv6.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-con-ipv6","og_locale":"en_US","og_type":"article","og_title":"LACNIC CSIRT - IPv6 DNS Open Resolvers","og_description":"The main purpose of the project is to alert and recommend possible corrections for DNS Resolvers on IPv6.","og_url":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-con-ipv6","og_site_name":"LACNIC CSIRT","article_modified_time":"2020-09-15T14:48:13+00:00","og_image":[{"width":680,"height":330,"url":"https:\/\/csirt.lacnic.net\/wp-content\/uploads\/lacnic-csirt-2020.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_site":"@lacnic_csirt","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-con-ipv6","url":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-con-ipv6","name":"LACNIC CSIRT - IPv6 DNS Open Resolvers","isPartOf":{"@id":"https:\/\/csirt.lacnic.net\/en\/#website"},"datePublished":"2018-07-12T20:33:16+00:00","dateModified":"2020-09-15T14:48:13+00:00","description":"The main purpose of the project is to alert and recommend possible corrections for DNS Resolvers on IPv6.","breadcrumb":{"@id":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-con-ipv6#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-con-ipv6"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/csirt.lacnic.net\/en\/dns-open-resolvers-con-ipv6#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Portada","item":"https:\/\/csirt.lacnic.net\/en"},{"@type":"ListItem","position":2,"name":"IPv6 DNS Open Resolvers"}]},{"@type":"WebSite","@id":"https:\/\/csirt.lacnic.net\/en\/#website","url":"https:\/\/csirt.lacnic.net\/en\/","name":"LACNIC CSIRT","description":"Incident Response Center - LACNIC CSIRT","publisher":{"@id":"https:\/\/csirt.lacnic.net\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/csirt.lacnic.net\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/csirt.lacnic.net\/en\/#organization","name":"LACNIC CSIRT","url":"https:\/\/csirt.lacnic.net\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/csirt.lacnic.net\/en\/#\/schema\/logo\/image\/","url":"https:\/\/csirt.lacnic.net\/wp-content\/uploads\/lacnic-csirt-2020.png","contentUrl":"https:\/\/csirt.lacnic.net\/wp-content\/uploads\/lacnic-csirt-2020.png","width":680,"height":330,"caption":"LACNIC CSIRT"},"image":{"@id":"https:\/\/csirt.lacnic.net\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/lacnic_csirt"]}]}},"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/pages\/1265","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/comments?post=1265"}],"version-history":[{"count":0,"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/pages\/1265\/revisions"}],"wp:attachment":[{"href":"https:\/\/csirt.lacnic.net\/en\/wp-json\/wp\/v2\/media?parent=1265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}