Hacker: “How about to relay my spam?” You: “Of course not.”
Hacker: “I guess I won’t ask permission then…”
Did you know that your DNS server may respond to queries from websites that you visit, or even domains that you send mail to, rather than just your own domain? An open DNS Server, or open recursive, responds to queries for domains that the DNS server is not authoritative for, and does so for anyone (rather than just clients on your local network).
Now, when DNS servers and mailservers were originally put into use, they were all open. That’s just how the Internet was way back when.
Over the years, spammers started relaying through open relays, so the best practice became not to run open relay mailservers. For quite a few years now, “best practice” has been not to have a DNS server be both authoritative and caching (doing recursive lookups). But most DNS servers are still open.
Once again, getting folks to act in their intelligent self-interest is not as easy as it might seem . . .
The problem is that there are now DDoS attacks (attacks that send lots of data to a computer, so that it becomes overloaded) that use open DNS servers, using amplification (sending small packets to a computer that then sends large packets to the victim, making it possible to send more data to the victim). Specifically, a UDP DNS packet is sent with a forged source IP address (the one of the victim), and a query is made in a small packet (about 75 bytes) for a domain that has a very large response packet (using EDNS0, it can be 4,000 or more bytes).
The response packet then goes to the victim. The victim gets about 50 times as much data as the attacker is sending out. So with a dialup connection, they could saturate a T1 line. Or, with a broadband connection – - well, you get the picture . . . it’s not pretty.
