An open DNS resolver is a DNS server that resolves recursive DNS queries from anybody on the internet. This article will tell you how to disable open DNS resolvers for Windows and/or Linux.
Open DNS resolvers and DDoS attacks
Running an open (UDP) service is not wrong on its own. Unfortunately, hackers have also found this feature valuable in doing a particular type of DDoS attack called an 'amplification attack'.
Disable open DNS resolvers: recommended action
Do you want to disable DNS resolvers? Either reconfigure your DNS server to only allow DNS queries from trusted sources, or disable the service completely if you do not actually use it.
Solving DNS recursion in Windows Server
Are you a Windows user? It's advisable to test your domain first with intoDNS.
- Once you are logged into the server you will need to open the 'DNS manager'.
- Right-click on the preferred DNS server and select 'Properties'.
- Select the 'Advanced' tab.
- Check the 'Disable recursion' box in 'Server options' and click OK.
- The open DNS resolver on this DNS server is now disabled.
Solving DNS recursion in Linux
If you need the DNS resolver, we politely ask you to only allow access from your own trusted sources. This can be accomplished by creating a firewall rule, which allows traffic to port 53/udp from your particular IP addresses/network.
How to check the port?
You can block port 53/udp in your firewall. To see if your server is vulnerable you can use the following command to see if the port is still open/closed:
$ sudo nmap -sU -p 53 --script=upnp-info IP
PORT STATE SERVICE VERSION
53/udp open|filtered upnp
How to close it?
Debian:
$ sudo ufw deny 53
CentOS:
$ sudo firewall-cmd --zone=public --permanent --remove-port=53/udp
$ sudo firewall-cmd --reload
IP tables:
iptables –A INPUT –p udp –s xxxx.xxxx.xxxx.xxxx/24 --dport 53 –d xxxx.xxxx.xxx.xxxx
(The -d stands for destination, so this is where you ideally would like to fill in your DNS servers IP)
If you are using BIND (named) as an authoritative name server, it should not allow recursion, add the following lines to the bottom of /etc/named.conf
options {
allow-query-cache { none; };
recursion no;
};
Finally, when everything is configured you can restart the service and test if it runs by issuing the following command:
dig example.com @your_dns_ip +short
If you don't receive a response/answer you know that recursive DNS is blocked for all untrusted sources.
Comments
Article is closed for comments.