A quick look at open DNS resolvers
A list of open resolvers
, verified on Oct 14, 2012.
2% of them are doing DNSSEC validation
60% of them are totally breaking DNSSEC
by stripping records, making client-side validation impossible
1% of them are reachable using IPv6
5% of them don't support EDNS at all
6% of them won't send a response larger than 512 bytes using UDP
Open resolvers, sorted by advertised payload size.
73% of them support a payload up to 4 Kb
Some don't mind sending 16 Kb responses over UDP
- Excellent for amplification attacks
1% are redirecting nonexistent names to their own servers