How can I disable open DNS resolvers? (Windows / Linux)

What is an 'Open DNS Resolver'?

An open DNS resolver is a DNS server which resolves recursive DNS queries from anybody on the internet.

Running an open (UDP) service is not wrong on it's own. Unfortunately, hackers have also found this feature valuable in doing a particular type of DDoS attack called an "amplification attack" For further information please observe: https://en.wikipedia.org/wiki/Denial-of-service_attack

Recommended action

We politely ask you to reconfigure your DNS server to only allow DNS queries from trusted sources or, if you don't actually use it, to disable the service entirely.

Solving DNS recursion in Windows Server

  • Once you are logged into the server you will need to open the 'DNS manager'.
  • Right-click on the preferred DNS server and select 'Properties'.
  • Next select the 'Advanced' tab.
  • Check the 'Disable recursion' box in Server options and click ok.
  • The open DNS resolver on this DNS server is now disabled.

For Windows users I would like to propose to test their domain using the following tool at http://www.intodns.com/

Solving DNS recursion in Linux

If you need the DNS resolver we politely ask you to only allow access from your own trusted sources, this can be accomplished by creating a firewall rule which allows traffic to port 53/udp from your particular IP addresses/network.

Oftentimes, you will be using IPTables as it's installed by default so it would presumably look like the following example:

iptables –A INPUT –p udp –s xxxx.xxxx.xxxx.xxxx/24 --dport 53 –d xxxx.xxxx.xxx.xxxx

(The -d stands for destination so this is where you ideally would like to fill in your DNS servers IP.)

If you are using BIND (named) as an authoritative name server, it should not allow recursion, add the following lines to the bottom of /etc/named.conf

options {
allow-query-cache { none; };
recursion no;
};

Finally, when everything is configured you can restart the service and test if it runs by issuing the following command:

dig example.com @your_dns_ip +short 

If you don't receive a response/answer you know that recursive DNS is blocked for all untrusted sources.

 

Hebt u meer vragen? Een aanvraag indienen

0 Opmerkingen

Artikel is gesloten voor opmerkingen.