DESCRIPTION LAST UPDATED: 2025-10-30
DEFAULT SEVERITY LEVEL: MEDIUM
This report identifies DNS servers that have the potential to be used in DNS amplification attacks by malicious actors that wish to perform denial of service attacks.
The DNS servers are checked with a command equivalent to:
Items that are tagged with “openresolver” indicate that the host responded to the request with the proper name and the proper IP address associated with that DNS name. Items that are tagged with “openresolver;bogusresolver” indicate that the host responded to the request with the proper name, but with an IP address that is NOT associated with that DNS name.
You can view our scan results on our Dashboard.
You can learn more on the report in our DNS Open Resolvers Report tutorial.
CVE-2025-40778 tagging
On 2025-10-30, we added CVE-2025-40778 tagging to our reports. Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1. Please make sure to patch. Please note this is a version based scan. If you believe a result is a false positive (for example, due to backporting a patch without updating the version) please let us know. CVE-2025-40778 entries have severity level set to CRITICAL. See also: https://kb.isc.org/docs/cve-2025-40778 (Cache poisoning attacks with unsolicited RRs).
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
Severity levels are described here.
For more information on our scanning efforts, check out our Internet scanning summary page.
This report comes in 2 versions: IPv4 and IPv6.
Filename(s): scan_dns, scan6_dns