Close an Open DNS

The terms Open and Closed are now used to describe DNS servers in the following context:
  • Open DNS - is a DNS that will accept recursive queries from external locations. Essentially anyone, anywhere can use your DNS to handle recursive queries for genuine or malicious reasons;
  • Closed DNS - is a DNS that will accept recursive queries only from an identified (and hopefully trusted) set of clients.
What used to be a friendly and neighbourly action, an Open DNS, may now be - inadvertently - placing yourself and others at risk for three major reasons:
  • DoS Attacks - by sending random domain queries to your DNS malicious users can cause your DNS to become extremely busy and clog up the Internet with useless traffic;
  • DoS Amplification Attacks - by sending domain specific queries the malicious users can cause your DNS to become part of (amplify the effect of) a wider DoS attack on a particular site;
  • Cache Poisoning - by sending specific queries the malicious users can dictate or control the traffic that leaves your site and thus attempt to spoof responses with nasty and pernicious stuff.
Use as many of the techniques described here as are appropriate to your installation.
  • Inhibit incoming DNS (port 53) queries for caching or forwarding only DNS servers using a firewall;
  • If you run an authoritative only server you should already be preventing recursion by using the following line in a global options clause:
    # inhibit all recursion
    recursion no;
  • BIND 9.4 introduced a new statement to allow-query-cache in an attempt to limit the number of, perhaps inadvertent, Open DNS resolvers. allow-query-cache defaults to the same values as allow-recursion. Be aware: It is permitted to define both allow-recursion and allow-query-cache statements. Avoid this like the plague. Use one or the other if you want to retain your sanity;
  • Since BIND 9.4 in configurations where recursion is yes; is present or is defaulted and no limits are placed on recursion then allow-query-cache {localnets; localhost;}; is defaulted. The effect of this is to only permit recursive queries from the server's host (localhost) or any local LAN connected hosts (localnets);
  • BIND 9.4 also introduced a new set of statements, allow-query-on, allow-recursion-on, allow-query-cache-on. In all cases the -on statements allow a definition of the server interface and may greatly simplify the query limit definition in multi-homed servers.

Was this answer helpful?

 Print this Article

Also Read

Use PING to find network problems

PING allows you to quickly verify the connectivity of your internet connection to the VPS server....

Make cPanel/WHM VPS more secure

Use secure passwords Insecure passwords are the most common security vulnerability for most...

Secure mail server checklist

Setup of email server in Linux is simple, but your job does not end there. Customer had...

Create an SPF record for domain

The Sender Policy Framework (SPF) is a method of fighting spam. As more time passes, this...

Troubleshoot slow internet connection

This article describes some of the most common causes for slow Internet connection. Follow these...