MEDIUM: DNS Open Resolvers Report

DESCRIPTION LAST UPDATED: 2023-12-08

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies DNS servers that have the potential to be used in DNS amplification attacks by malicious actors that wish to perform denial of service attacks.

The DNS servers are checked with a command equivalent to:

dig +short @[ip] dnsscan.shadowserver.org

Items that are tagged with “openresolver” indicate that the host responded to the request with the proper name and the proper IP address associated with that DNS name. Items that are tagged with “openresolver;bogusresolver” indicate that the host responded to the request with the proper name, but with an IP address that is NOT associated with that DNS name.

You can view our scan results on our Dashboard.

You can learn more on the report in our DNS Open Resolvers Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.
This report comes in 2 versions: IPv4 and IPv6.

Filename(s): scan_dns, scan6_dns

 

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the DNS response came on (usually UDP)
  • port
    Port that the DNS response came from
  • hostname
    Reverse DNS name of the device in question
  • tag
    Set to openresolver or openresolver;bogusresolver
  • dns_version
    DNS version string that is reported back when device is probed
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • min_amplification
    The approximate minimum amount of traffic amplification that you could get by querying the DNS server for an A record — this number is obtained by dividing the size of the response by the size of the query
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector the identified device belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","dns_version","asn","geo","region","city","min_amplification","naics","hostname_source","sector"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,53,node01.example.com,openresolver,,64512,ZZ,Region,City,1.38,0,,
"2010-02-10 00:00:01",medium,192.168.0.2,udp,53,node02.example.com,openresolver,,64512,ZZ,Region,City,1.38,0,,
"2010-02-10 00:00:02",medium,192.168.0.3,udp,53,node03.example.com,openresolver,,64512,ZZ,Region,City,1.38,0,,

Our 132 Report Types