Skip to main content

Securing Open DNS Resolvers (Preventing Abuse)

An Open DNS Resolver is a server that accepts recursive DNS queries from anyone on the internet. While this sounds helpful, it is extremely dangerous.

The Risk: DNS Amplification Attacks
Hackers abuse open resolvers to launch massive DDoS attacks. They send a tiny request to your server (spoofing the victim's IP), and your server replies with a huge response to the victim.

If your server is detected as an open resolver, Tilaa may be forced to suspend your network access to protect our infrastructure.

1. Testing for Vulnerability

To check if your server allows open recursion, run this command from a remote computer (replace 1.2.3.4 with your VPS IP):

nmap -sU -p 53 --script=dns-recursion 1.2.3.4

If the output says "Recursion: enabled", you must take action immediately.

2. Windows Server Fix

On Windows DNS Server, you need to disable recursion to ensure the server only answers for domains it explicitly hosts.

  1. Open the DNS Manager.
  2. Right-click on your DNS server name and select Properties.
  3. Go to the Advanced tab.
  4. Check the box Disable recursion (also disables forwarders).
  5. Click OK.
Windows DNS Disable Recursion checkbox

3. Linux Fix (BIND / Named)

Most Linux servers run BIND (process name: named). You must edit the configuration to deny recursion from external IPs.

Do not just block the port!
If you use this server to host your own domain names (Authoritative DNS), you must keep port 53 open. Instead of blocking the port, you should configure the software correctly below.

1. Open your BIND configuration file (usually /etc/named.conf or /etc/bind/named.conf.options).

2. Find the options { ... }; block. Do not create a new block, but edit the existing one.

3. Add or modify these lines inside the options block:

options {
    # Only allow local queries
    allow-query-cache { none; };

    # Disable recursion for the outside world
    recursion no;

    # Prevent unauthorized zone transfers
    allow-transfer { none; };
};

4. Restart the service:

sudo systemctl restart named
# OR
sudo systemctl restart bind9

4. Removing Unused DNS Services

If you do not intend to host domain names on your VPS, you should not be running a DNS server at all.

Check if it is running:

sudo netstat -upln | grep :53

Stop and Disable the service (if not needed):

# Stop BIND/Named
sudo systemctl stop named
sudo systemctl disable named

# Block the port in Firewall (UFW)
sudo ufw deny 53/udp
sudo ufw deny 53/tcp