Hi,
openresolver.com detects Cloudflare servers as Open Recursive resolver.
Message on openresovler.com
xxxxx.ns.cloudflare.comIP address xxxxx.ns.cloudflare.com is vulnerable to DNS Amplification attacks.
How to resolve this?
Appreciate any help on this issue.
The tool is incorrect.
TL;DR: I would simply ignore the advice from openresolver.com, as the test is somewhat flawed, given the way it has been implemented:
Cloudflare name servers, regadless if it is bob.ns.cloudflare.com or john.ns.cloudflare.com are all responding to domains that are hosted on the Cloudflare DNS servers.
Even cloudflare.com will they respond to, even though Cloudflare uses nsX names for those.
$ dig +noall +answer cloudflare.com @bob.ns.cloudflare.com
cloudflare.com. 300 IN A 104.16.132.229
cloudflare.com. 300 IN A 104.16.133.229
$ dig +noall +answer cloudflare.com @john.ns.cloudflare.com
cloudflare.com. 300 IN A 104.16.132.229
cloudflare.com. 300 IN A 104.16.133.229
$ dig +noall +auth NS cloudflare.com @a.gtld-servers.net
cloudflare.com. 172800 IN NS ns3.cloudflare.com.
cloudflare.com. 172800 IN NS ns5.cloudflare.com.
cloudflare.com. 172800 IN NS ns4.cloudflare.com.
cloudflare.com. 172800 IN NS ns6.cloudflare.com.
cloudflare.com. 172800 IN NS ns7.cloudflare.com.
$ dig +noall +answer NS cloudflare.com @ns3.cloudflare.com
cloudflare.com. 86400 IN NS ns3.cloudflare.com.
cloudflare.com. 86400 IN NS ns4.cloudflare.com.
cloudflare.com. 86400 IN NS ns5.cloudflare.com.
cloudflare.com. 86400 IN NS ns6.cloudflare.com.
cloudflare.com. 86400 IN NS ns7.cloudflare.com.
$ dig +noall +answer NS cloudflare.com @bob.ns.cloudflare.com
cloudflare.com. 86400 IN NS ns3.cloudflare.com.
cloudflare.com. 86400 IN NS ns4.cloudflare.com.
cloudflare.com. 86400 IN NS ns5.cloudflare.com.
cloudflare.com. 86400 IN NS ns6.cloudflare.com.
cloudflare.com. 86400 IN NS ns7.cloudflare.com.
$ dig +noall +answer NS cloudflare.com @john.ns.cloudflare.com
cloudflare.com. 86400 IN NS ns3.cloudflare.com.
cloudflare.com. 86400 IN NS ns4.cloudflare.com.
cloudflare.com. 86400 IN NS ns5.cloudflare.com.
cloudflare.com. 86400 IN NS ns6.cloudflare.com.
cloudflare.com. 86400 IN NS ns7.cloudflare.com.
Since openresolver.com is hosted with Cloudflare, all *.ns.cloudflare.com name servers are literally responding to authoritative DNS queries for test.openresolver.com.
They are however not open, which you can do a test for, by taking andom domani names, such as e.g. google.com or facebook.com:
$ dig facebook.com @bob.ns.cloudflare.com
; <<>> DiG 9.16.37-Debian <<>> facebook.com @bob.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 40700
$ dig google.com.com @john.ns.cloudflare.com
; <<>> DiG 9.16.37-Debian <<>> google.com.com @john.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 10728
The openresolver.com team literally has two ways to resolve this:
To be sure that a server is actually an open resolver, they should NOT be using Cloudflare DNS (or any other “third party hosted DNS”), but set up their own name servers for the test end point, if they wish to continue querying test.openresolver.com.
They should change to query random domain names (e.g. google.com, facebook.com, …), and preferably a minimum of two different ones each time, instead of using their own domain name.
Hope the above is useful, although there is nothing you can do (except if you are a part of the openresolver.com team).
Thank you very much for the detailed response, definitely very helpful.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.