HowTo - Disable open DNS resolvers?

An open DNS resolver is a DNS server that resolves recursive DNS queries from anybody on the internet. This article will tell you how to disable open DNS resolvers for Windows and/or Linux. 

 

Open DNS resolvers and DDoS attacks

Running an open (UDP) service is not wrong on its own. Unfortunately, hackers have also found this feature valuable in doing a particular type of DDoS attack called an 'amplification attack'. 

 

Disable open DNS resolvers: recommended action 

Do you want to disable DNS resolvers? Either reconfigure your DNS server to only allow DNS queries from trusted sources, or disable the service completely if you do not actually use it.

 

Solving DNS recursion in Windows Server

Are you a Windows user? It's advisable to test your domain first with intoDNS

  1. Once you are logged into the server you will need to open the 'DNS manager'.
    Screenshot_2021-06-03_at_12.28.03.png

  2. Right-click on the preferred DNS server and select 'Properties'.
    Screenshot_2021-06-03_at_12.28.52.png

  3. Select the 'Advanced' tab.

  4. Check the 'Disable recursion' box in 'Server options' and click OK.
    Screenshot_2021-06-03_at_12.29.33.png

  5. The open DNS resolver on this DNS server is now disabled.

 

Solving DNS recursion in Linux

If you need the DNS resolver, we politely ask you to only allow access from your own trusted sources. This can be accomplished by creating a firewall rule, which allows traffic to port 53/udp from your particular IP addresses/network.

 

How to check the port?

You can block port 53/udp in your firewall. To see if your server is vulnerable you can use the following command to see if the port is still open/closed:

$ sudo nmap -sU -p 53 --script=upnp-info IP 
PORT STATE SERVICE VERSION 
53/udp open|filtered upnp

 

How to close it?

Debian:

$ sudo ufw deny 53

 

CentOS:

$ sudo firewall-cmd --zone=public --permanent --remove-port=53/udp
$ sudo firewall-cmd --reload

 

IP tables:

iptables –A INPUT –p udp –s xxxx.xxxx.xxxx.xxxx/24 --dport 53 –d xxxx.xxxx.xxx.xxxx

(The -d stands for destination, so this is where you ideally would like to fill in your DNS servers IP)

 

If you are using BIND (named) as an authoritative name server, it should not allow recursion, add the following lines to the bottom of /etc/named.conf

options {
allow-query-cache { none; };
recursion no;
};

 

Finally, when everything is configured you can restart the service and test if it runs by issuing the following command:

dig example.com @your_dns_ip +short 

 

If you don't receive a response/answer you know that recursive DNS is blocked for all untrusted sources.

 

 

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section