A quick look at open DNS resolvers

• A list of open resolvers, verified on Oct 14, 2012.
• 2% of them are doing DNSSEC validation
• 60% of them are totally breaking DNSSEC by stripping records, making client-side validation impossible
• 1% of them are reachable using IPv6
• 5% of them don't support EDNS at all
• 6% of them won't send a response larger than 512 bytes using UDP
• Open resolvers, sorted by advertised payload size. 73% of them support a payload up to 4 Kb
• Some don't mind sending 16 Kb responses over UDP - Excellent for amplification attacks
• 1% are redirecting nonexistent names to their own servers