Back to Verisign Labs Tools

Self-Service Open Resolver Scan

Home | Resources

Login | Terms and Conditions

Using the tools on this site you can scan your own address space for DNS Open Resolvers at your convenience!

What is an Open Resolver?

An Open Resolver is a DNS server which accepts queries from outside of its administrative domain and attempts to resolve the query by forwarding it to other name servers.

Are Open Resolvers bad?

Generally, yes. Open Resolvers are often used in reflection-based denial-of-service attacks. The attacker transmits DNS queries to an open resolver, but the query source is a spoofed address. When the Open Resolver sends a response, the larger response goes to the victim.

How does the self-service scan work?

First you register with this site to receive a "token." Then you download and run a short Perl script which generates queries using the provided token. If our authoritative name servers receive queries using your token they are logged to a database. After the scan completes you log in here to view the results. Note that our authoritative name servers do not generate responses and the scanning script does not wait for responses.

Does it matter where I run the scanning script from?

Probably, yes. In most cases you probably want to run it from outside the network that you are scanning. Some networks might be configured to allow DNS queries from "inside." If this the case on your network then you should be scanning from an external location from where you'd expect DNS queries would be blocked or refused.

Can I reuse a token?

Not really. If you re-use a token with a later scan, any new open resolver addresses will be added to the database, but the existing entries are not removed. Furthermore, if a given target address is seen to be open from repeated scans with the same token, there will be only a single entry with the timestamp of the first event. One reason that we cannot simply update the timestamp is because some resolvers remember the query and make multiple queries to the authoritative name server over time. In some cases it looks like a cache refreshing behavior. In other cases, it is more mysterious. So if you want to "update" a previous scan, you really should use a new token.