DNS amplification attacks have become pesky (see below for pointers on these kind of attacks). There’s an easy way to verify if there are nameservers on your network that allow recursive queries for the “world”
Do this from a machine outside of your network (if you’d launch it from a machine inside your network chances are high that your IP is part of an ‘allowed’ list in the NS-config, thus falsifying your results).
The tool to use is nmap. Nmap is a free and open source utility for network discovery and security auditing.
Nmap allows for the use of scripts through the Nmap Scripting Engine. On a default install these scripts (that end in .nse) are installed in
The script we need is dns-recursion.nse. A recent version is in the nmap SVN. https://svn.nmap.org/nmap/scripts/dns-recursion.nse
The source reveals that the script probes for “www.wikipedia.org”. Change the script if you’d like to differentiate the requests in your logs.
The nmap command you need is
nmap -sU -p 53 -sV -P0 –script “dns-recursion” 18.104.22.168
-sU = UDP scan
-p 53 = only scan for port 53 (the “dns”-port)
-sV = Probe open ports to determine service/version info
-P0 = Treat all hosts as online
When the nameserver allows recursion, output similar to this will be returned:
PORT STATE SERVICE VERSION
53/udp open domain ISC BIND 9.7.0-P1
|_dns-recursion: Recursion appears to be enabled
Redirect the output of nmap to a file and then use grep to look for recursion. Note: as far as I could check, the XML or Normal output of nmap lose the nse script output.
DNS amplification attack pointers:
Why having an open resolver is a bad idea: