Test for open DNS resolvers on your OpenVZ nodes

dcdan

New Member
Verified Provider
Another way to reduce the amount of network abuse on your OpenVZ VPS nodes (in addition to Nodewatch) is to scan them for recursive DNS resolvers which are often the target for DNS Amplification DoS attacks.

This script scans all OpenVZ containers on a node for open DNS resolvers:
 


#!/bin/bash
echo "Simple script to scan all OpenVZ containers for open DNS resolvers"
echo "For web-based testing use http://openresolver.com"
for ip in `vzlist -H | awk '{print $4}'`;
do
    OUT=$(dig +short +tries=1 +time=2 test.openresolver.com TXT @$ip | grep open-resolver-detected)
    if [ -z "$OUT" ]; then
        echo "$ip is not an open resolver"
    else
        echo "$ip IS an open resolver!"
    fi
done
Quick wget command (run as root):
wget http://openresolver.com/openvz-scan.sh
chmod 0700 openvz-scan.sh
./openvz-scan.sh

Sample output:

Simple script to scan all OpenVZ containers for open DNS resolvers
For web-based testing use http://openresolver.com
10.0.0.1 is not an open resolver
10.0.0.2 IS an open resolver!
10.0.0.3 is not an open resolver
10.0.0.4 is not an open resolver
Manually test an IP address:

Code:
dig +short test.openresolver.com TXT @1.2.3.4
#Replace 1.2.3.4 with the IP address or domain name of the DNS server you are testing.
 

blergh

New Member
Verified Provider
Nice! This might come in handy. Might wanna just list the ones running as open?
 

WebSearchingPro

VPS Peddler
Verified Provider
Nice! This might come in handy. Might wanna just list the ones running as open?
./openvz-scan.sh | grep "IS"

Edit: My only worry about that is running a large amount of automated queries against their system. 

Edit2: `yum install bind-utils` will be needed for a minimal centos host. 
 
Last edited by a moderator:

dcdan

New Member
Verified Provider
Do not worry about our DNS servers, should we see any considerable load at all, we will upgrade them and/or move this domain to its own NS.
 

DamienSB

Active Member
Verified Provider
echo "$ip IS an open resolver!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

Made it slightly easier to read/find.
 
Top