DNS Open Resolvers Report

This report identifies DNS servers that have the potential to be used in DNS amplification attacks by criminals that wish to perform denial of service attacks.

The DNS servers are checked with a command equivalent to:

dig +short @[ip] dnsscan.shadowserver.org

Statistics for these servers can be found here.

Fields

timestamp

Time that the IP was probed in UTC+0
ip

The IP address of the device in question
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
port

Port that the DNS response came from
protocol

Protocol that the DNS response came on (usually UDP)
hostname

Reverse DNS name of the device in question
min_amplification

The approximate minimum amount of traffic amplification that you could get by querying the DNS server for an A record — this number is obtained by dividing the size of the response by the size of the query
dns_version

DNS version string that is reported back when device is probed
p0f_genre

Operating System family
p0f_detail

Operating System version

Sample

"timestamp","ip","asn","geo","region","city","port","protocol","hostname","min_amplification","dns_version","p0f_genre","p0f_detail"
"2013-10-10 00:05:10","208.70.149.107","36252","US","Illinois","Chicago","53","udp","107.149.70.208.static.ipv4.dnsptr.net","4.6190","PalmOS DNS v1.0",,
"2013-10-10 00:05:10","204.245.210.223","2914","US","Oregon","Warren","53","udp","","1.3810","",,
"2013-10-10 00:05:10","40.135.0.109","7029","US","Nebraska","Pawnee City","53","udp","h109.0.135.40.static.ip.windstream.net","1.3810","SERVFAIL",,
"2013-10-10 00:05:10","76.74.186.178","13768","CA","British Columbia","Richmond","53","udp","ns2.domainhostingservers.com","3.4762","9.2.4",,
"2013-10-10 00:05:10","31.42.105.195","51003","RU","-","-","53","udp","","1.3810","dnsmasq-2.63",,

Our 80 Report Types

« Back to Network Reporting