amuck-landowner

Test for open DNS resolvers on your OpenVZ nodes

D

dcdan

New Member
Verified Provider
Another way to reduce the amount of network abuse on your OpenVZ VPS nodes (in addition to Nodewatch) is to scan them for recursive DNS resolvers which are often the target for DNS Amplification DoS attacks.

This script scans all OpenVZ containers on a node for open DNS resolvers:
 


#!/bin/bash
echo "Simple script to scan all OpenVZ containers for open DNS resolvers"
echo "For web-based testing use http://openresolver.com"
for ip in `vzlist -H | awk '{print $4}'`;
do
    OUT=$(dig +short +tries=1 +time=2 test.openresolver.com TXT @$ip | grep open-resolver-detected)
    if [ -z "$OUT" ]; then
        echo "$ip is not an open resolver"
    else
        echo "$ip IS an open resolver!"
    fi
done
Quick wget command (run as root):
wget http://openresolver.com/openvz-scan.sh
chmod 0700 openvz-scan.sh
./openvz-scan.sh

Sample output:

Simple script to scan all OpenVZ containers for open DNS resolvers
For web-based testing use http://openresolver.com
10.0.0.1 is not an open resolver
10.0.0.2 IS an open resolver!
10.0.0.3 is not an open resolver
10.0.0.4 is not an open resolver
Click to expand...

Manually test an IP address:

Code: 
dig +short test.openresolver.com TXT @1.2.3.4
#Replace 1.2.3.4 with the IP address or domain name of the DNS server you are testing.
 
blergh

blergh

New Member
Verified Provider
Nice! This might come in handy. Might wanna just list the ones running as open?
 
WebSearchingPro

WebSearchingPro

VPS Peddler
Verified Provider
blergh said:
Nice! This might come in handy. Might wanna just list the ones running as open?
Click to expand...
./openvz-scan.sh | grep "IS"

Edit: My only worry about that is running a large amount of automated queries against their system. 

Edit2: `yum install bind-utils` will be needed for a minimal centos host. 
 
Last edited by a moderator:
D

dcdan

New Member
Verified Provider
Do not worry about our DNS servers, should we see any considerable load at all, we will upgrade them and/or move this domain to its own NS.
 
DamienSB

DamienSB

Active Member
Verified Provider
echo "$ip IS an open resolver!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

Made it slightly easier to read/find.
 
You must log in or register to reply here.
Top
amuck-landowner