Article overview

Help article

How do I disable open DNS resolvers?

Open DNS resolvers are DNS resolvers that respond to each IP address and can, therefore, be abused for "amplification attacks". Simply put, an amount of data can be sent to your DNS resolvers (from a spoofed IP) and a significantly larger amount of data is returned. In this way, malicious people can then misuse your resolvers to perform a (D)DoS attack on the spoofed IP address.

That is why it is very important that you always disable this and only allow resolving for specific IPs / servers, for example from your private network. You can disable the open DNS resolvers as follows:


Windows Server

Alternatively, instead of the instruction below, you can use the inbound rules of your Windows Firewall with Advanced Security> DNS(TCP, Incoming & UDP, Incoming)> Scope> Remote IP addresses to only allow 127.0.0.1, the IP of your VPS and the IPs on your private network.

 

Step 1

Log in to your server and click 'DNS' in your Server Manager with the left mouse button. Then click the name of your VPS with the right mouse button and click 'DNS Manager'.

windows server manager dns manager


 

Step 2

DNS management is opened. Click the name of the VPS with the left mouse button in the left menu and then 'Properties' with the right mouse button (directly clicking the name of the VPS with the right mouse button does not work).

windows dns manager properties


 

Step 3

Click the 'Advanced' tab (see the screenshot in step 4).


 

Step 4

Check ​​'Disable recursion' and click 'Apply'.

windows dns manager disable recursion

Open DNS resolvers on your VPS are now disabled.


Linux

BIND is most commonly used as a DNS server, but if you use a different DNS server, please consult its documentation. In Bind you disable open DNS resolvers by adding the following lines (as root) in the options section of /etc/named.conf:

 

Step 1

First open /etc/named.conf:

nano /etc/named.conf

 

Step 2

Under the 'Options' section, add the lines:

allow-transfer {"none";};
allow-recursion {"none";};
recursion no;

Save the changes and close the file (ctrl + x > y > enter).


 

Step 3

 

To process the changes, reloading the service suffices:

Ubuntu / Debian

service bind9 reload

CentOS

service named reload

 

Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘ContactUs’ button at the bottom of this page.

If you want to discuss this article with other users, please leave a message under 'Comments'.

 

 

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.

0
Matthijs van Beek Admin March 17, 2023 (#9667)

@taub,

An excellent question! First of all, it's important to realize that recursion allows a person to look up the DNS records for a domain that's NOT hosted on your server: recursion forwards the request to the server that does hold the DNS information for the specific domain. So if all that's needed is that the records can be resolved for the domain that you're hosting on your server then it's perfectly safe to disable recursion.

Recursion isn't something we allow on our network, but.. if you do want an open DNS resolver and are hosting that somewhere else, then to secure it you could consider using rate limiting. By adding the following to your /etc/named.conf configuration you would implement a rate limit that would allow a random IP to query your server 1 time per second, while whitelisting the mentioned IP ranges to allow them to query as often as they'd like.

response-rate-limit 1;

rrl-whitelist {

123.123.123.123/24;

};

Please note that rate limiting may mean that there'll most likely be a performance loss for using resources hosted on your server such as a website. You'll need to experiment a bit with these settings to find a balance between security and performance that works for you.

0
taub November 11, 2022 (#9080)

But what if I WANT to host an open DNS. How can I secure it?