How to Detect Open DNS Resolvers
An open DNS resolver is a DNS server that answers queries from any IP address on the internet — not just its intended clients. While convenient, open resolvers are a significant security liability and a primary tool in large-scale DDoS amplification attacks.
Why Open Resolvers Are Dangerous
DNS responses are typically 2–10× larger than the corresponding query. An attacker can exploit this amplification factor by:
- Spoofing the source IP of a DNS query to be the victim's IP address.
- Sending that query to thousands of open resolvers.
- Each resolver sends its (larger) response to the victim.
- The victim is flooded with traffic they never requested.
This is a DNS amplification attack, a type of reflected DDoS. Queries for large record types like ANY, DNSKEY, or TXT can amplify traffic by 50–100×. The 2013 Spamhaus attack — at the time the largest DDoS in history — relied heavily on open resolvers.
Legitimate vs. Open Resolvers
Some resolvers are intentionally public: Google (8.8.8.8), Cloudflare (1.1.1.1), and Quad9 (9.9.9.9). These are hardened, rate-limited, and monitored. They do not represent a significant amplification risk because they implement response rate limiting (RRL).
An unintentionally open resolver is a misconfigured server — typically a corporate nameserver or ISP resolver — that answers external queries without rate limiting. These are the dangerous ones.
Checking Resolvers with the DNS Toolkit API
The Compare Resolvers endpoint lets you query multiple nameservers for the same domain and compare their responses. It's useful for detecting open resolvers by querying a server that should only serve internal clients:
curl -X GET "https://dns.toolkitapi.io/v1/dns/compare-resolvers?domain=example.com&resolvers=192.0.2.1,8.8.8.8" \
-H "X-API-Key: YOUR_KEY"
If 192.0.2.1 returns a full answer for an external domain, it's behaving as an open resolver.
Testing Your Own Infrastructure
To check whether a nameserver you operate is open, test it from an external IP:
# Using dig from an external machine:
dig @YOUR_NAMESERVER_IP google.com A
# If you get a non-REFUSED answer, the resolver is open.
A properly restricted resolver should return REFUSED (RCODE 5) for queries it didn't originate. If it returns an answer, it's open.
Hardening a Resolver
BIND (named)
options {
allow-recursion { 10.0.0.0/8; 192.168.0.0/16; localhost; };
recursion yes;
};
Only allow recursion from internal RFC 1918 ranges. External queries receive REFUSED.
Unbound
server:
access-control: 0.0.0.0/0 refuse
access-control: 10.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
access-control: 127.0.0.0/8 allow
Response Rate Limiting (RRL)
Even for intentionally public resolvers, enable RRL to limit how fast you'll respond to the same query from the same source:
# BIND
rate-limit {
responses-per-second 15;
window 5;
};
Scanning for Open Resolvers at Scale
If you manage a large IP range, you can scan for open resolvers programmatically:
import httpx
import ipaddress
API_KEY = "YOUR_KEY"
# Replace with your actual IP range
network = ipaddress.IPv4Network("192.0.2.0/24")
open_resolvers = []
for ip in network.hosts():
resp = httpx.get(
"https://dns.toolkitapi.io/v1/dns/compare-resolvers",
params={"domain": "google.com", "resolvers": str(ip)},
headers={"X-API-Key": API_KEY},
timeout=5.0,
)
if resp.status_code == 200:
result = resp.json()
for r in result.get("results", []):
if r.get("answer_count", 0) > 0:
open_resolvers.append(str(ip))
print(f"Open resolvers found: {open_resolvers}")
Summary
Open DNS resolvers are a common misconfiguration that enables DDoS amplification attacks. Restrict recursion to authorised clients, enable response rate limiting, and audit your infrastructure regularly. The DNS Toolkit Compare Resolvers endpoint makes it straightforward to test any nameserver's behaviour from an external perspective.