cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
7958
Views
0
Helpful
8
Replies
Highlighted
Beginner

ISP Reporting Open DNS Resolvers

I have a WRV210 in stalled at a remote client, it is set to do a point to point VPN tunnel to the company office (Windows server) another 210 at the other end.

Behind this specific unit are 2 Windows workstations(XP). The client just received the following email from AT&T:

AT&T has determined that a device using your Internet connection is configured to run an open Domain Name System (DNS) resolver. A DNS resolver was observed answering public queries at Jan 7, 2014 at 7:06 PM EST at the IP address X.X.X.X. Our records indicate that this IP address was assigned to you at this time.

Open DNS resolvers can be used for network attacks, presenting additional load on your Internet access and resulting in unreliable service.

An open DNS resolver allows users on the Internet to perform DNS requests on your server. This is considered an insecure configuration and in the majority of cases, Internet subscribers should not operate an open DNS resolver. The open DNS resolver may be present due to a default operating system installation or system configuration issue. In some cases, network devices such as home wireless routers have flaws that expose DNS service to the Internet.

To address this problem we ask that you take the following actions. If your computer(s) are managed by an Information Technology (IT) group at your place of work, please pass this information on to them.

  1. If you use a wireless network, ensure that your wireless router is password-protected and using WPA or WPA2 encryption (use WEP only if WPA is not available). In addition, ensure that the router is not configured to provide open DNS services (consult the manual for your specific hardware). Check the connections to the router and ensure that you recognize all connected devices.
  2. If your environment requires you to run an open DNS resolver, please limit access via an ACL, rate limiting, or another method to minimize abuse of your server. Visit http://www.team-cymru.org/Services/Resolvers/instructions.html for additional technical information on preventing abuse.

Thank you for your prompt attention to this matter. We welcome your feedback and questions on this matter. Please contact us at abuse@att.net with any questions you may have.

I have no port forwarding setup nor do I have any port triggering. The workstation is not setup in the DMZ, the inside network is setup as 192.168.1.x

Can anyone point me in the right direction to resolve this?

Thank you.

8 REPLIES 8
Highlighted
Beginner

Make sure you have the latest firmware. I ran across the same issue and validated that the router was indeed responding to external DNS queries. Unfortunately, when I began a firmware update remotely, a user at the site decided that was a good time to unplug the router and it was not in an operational or recoverable state afterwards. I ended up replacing it with a WRVN4400N with the latest firmware that did not exhibit the same issues. I am testing some of our other deployed units and may be able to verify the latest firmware as a fix later if I have any of these things out there still that haven't been updated since 2011.

Highlighted

We got the same exact message as Mr. Barwig except our router is an RV042G which is not a wireless router.  We will try the firmware update and see if that works.  How do you check to see if your router is responding to external DNS queries?

Highlighted
Beginner

I have updated the firmware from 2.0.1.11 to 2.0.1.5, I will wait to see if this resolves the issue

Highlighted

My brother uses the Cisco WRV210 for his home wireless network and he has the same issue.  He received the below warning from his ISP.  The ISP provided this link http://www.thinkbroadband.com/tools/dnscheck.html to run a DNS check for this issue.  I have reset the router to factory settings and upgraded the firmware but it did not resolve the issue.  I have checked that all of his devices are clean of viruses and malware to the best of my ability.  Even my own laptop, which is fine with my own home network, reports of this DNS resolver issue when I run the dnscheck when connected to the WRV210.  This issue is beyond my knowledge and expertise.  His ISP has terminated his service twice already as a warning, each time having to demand to have it restored.  As a result I reinstalled my brother's 10 year old D-Link router and although it is noticeably slower, it does not exhibit this problem.

Any assistance is greatly appreciated!

Please be advised that we have received a report that your provisioned IP address is operating as an Open DNS server permitting unrestricted Recursive DNS Queries from anywhere on the Internet.

Open recursive DNS resolvers; have been used to generate an increasing number of extremely large reflective DDoS attacks, without needing a large number of infected hosts to launch the attacks.

Additional risks of open recursive resolvers include resource consumption by outside users without your consent, and, perhaps possible cache poisoning from outside entities.

For more information on the problems associated with Open DNS Recursion and assistance in remediation this threat, can be obtained from the site below.

http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf

if you are not running a DNS server and are using a home gateway or router, it may be possible the router is running a DNS server. Usually, the DNS server should only be accessible to the computers inside your home, however if configured incorrectly, it may make the DNS server accessible to the entire Internet. If you suspect your router may be the cause of this activity, we suggest contacting your router manufacturer's support desk for assistance in reconfiguring your router.

Please note that each end user is responsible for the security of their computer system while connected to the network and thus is ultimately responsible for network abuse that is conducted through such configurations. Failure to take the appropriate measures to prevent network abuse through your internet account may result in a service interruption / account termination.

Highlighted

David,

I recommend that you contact AT&T as Scott did. This looks like a phishing scheme or a way to install a virus through the referenced web link in the emails.

If the ISP did not send the email, please reply here and let us know if this is a hoax.

- Marty

Highlighted

Marty

We did contact the ISP (not AT&T) and they confirmed that they did in fact send the email regarding this issue.  In fact, they suspended the internet service twice which we demanded to have restored.

This was not a hoax. 

David

Highlighted

David,

Sorry, I missed that part of your post. Does your brother have a dynamic or static WAN IP?

Is he using the ISP DNS servers?

I will try to find out if this is a known issue internally and if there is any workaround. Since the WRV200/210 routers are end of life it is unlikely that we will see a new firmware unless this is considered a major security breach.

Anyone else seeing this issue, even with a different router?

- Marty

Highlighted

Marty,

The router is setup is dynamic IP address.  My brother is not using DNS servers.  I setup the router for his family to use just for home wireless internet access only. 

David