Security Analysis of DNS Open Resolvers by Continuous and Ambulatory Detection

DNS open resolvers represent key components of Internet networks, providing recursive resolution services for all users across the Internet. Monitoring operational profiles of the open resolvers is crucial in analyzing cyber security threats. However, due to the lack of authentication or authorization between users and DNS servers, malicious attackers can exploit these vulnerabilities potentially. In this paper, we design an efficient long-term scanning scheme for the entire IPv4 address space, and approximately 1.8 million open resolvers on the network come into light. By investigating the response packets, we observe that some of them are working in a non-standard way. Moreover, many resolvers respond to user requests with incorrect (even malicious) information. In addition, we discover the existence of ghost resolvers, which cache domain names that have been cleared.