Close the Open DNS Resolver - even when it requires to reinvent the way to provide the old service

Recursive resolvers, open for answering recursive DNS queries for hosts outside of its domain, are identified as security threat for both own DNS service and the global network infrastructure. Despite several initiatives launched on the Internet, enormous amount of recursive resolvers are still open on global scale. Apart from the usually named causes for slow decreasing trend, the cases of using open DNS resolver, which persist in spite of all efforts to resolve this problem, have been identified at the University of Belgrade in its member institutions. This talk describes one typical configuration that appears in 78% of still open resolver in NREN of Serbia. It occurs when the DNS service has been implemented in Windows Server 2003 or 2008 environment in the way that is not possible to accept or reject recursive queries selectively depending on where it comes from. Since, legitimated recursive queries have to be handled, the closure of the open recursive resolver in this environment requires a profound change to how the DNS service implemented. There are three possible solutions. The talk discusses the reasons why member institutions are slowly being adopted the offered solutions and not happy with it.


Part of session

Lightning talks

Related documents