Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Close an Open DNS

JustinJustin Member
edited February 2020 in Performance and Security
The terms Open and Closed are now used to describe DNS servers in the following context:

• Open DNS - is a DNS that will accept recursive queries from external locations. Essentially anyone anywhere can use your DNS to handle recursive queries for genuine or malicious reasons;
• Closed DNS - is a DNS that will accept recursive queries only from an identified (and hopefully trusted) set of clients.

What used to be a friendly and neighborly action, an Open DNS, may now be - inadvertently - placing yourself and others at risk for three major reasons:

• DoS Attacks - by sending random domain queries to your DNS malicious users can cause your DNS to become extremely busy and clog up the Internet with useless traffic;
• DoS Amplification Attacks - by sending domain-specific queries the malicious users can cause your DNS to become part of (amplify the effect of) a wider DoS attack on a particular site;
• Cache Poisoning - by sending specific queries the malicious users can dictate or control the traffic that leaves your site and thus attempt to spoof responses with nasty and pernicious stuff.

Use as many of the techniques described here as are appropriate to your installation.

• Inhibit incoming DNS (port 53) queries for caching or forwarding only DNS servers using a firewall;
• If you run an authoritative only server you should already be preventing recursion by using the following line in a global options clause:
# inhibit all recursion
recursion no;

• BIND 9.4 introduced a new statement to allow-query-cache in an attempt to limit the number of, perhaps inadvertent, Open DNS resolvers. allow-query-cache defaults to the same values as allow-recursion. Be aware: It is permitted to define both allow-recursion and allow-query-cache statements. Avoid this like the plague. Use one or the other if you want to retain your sanity;
• Since BIND 9.4 in configurations where recursion is yes; is present or is defaulted and no limits are placed on recursion then allow-query-cache {localnets; localhost;}; is defaulted. The effect of this is to only permit recursive queries from the server's host (localhost) or any local LAN connected hosts (localnets);
• BIND 9.4 also introduced a new set of statements, allow-query-on, allow-recursion-on, allow-query-cache-on. In all cases, the -on statements allow a definition of the server interface and may greatly simplify the query limit definition in multi-homed servers.
Sign In or Register to comment.

Learn how to install a web and database server, email, FTP client or other applications. Discover and share information on server security or optimization recommendations.
Feel free to join our constantly expanding community, participate in discussions, strengthen your knowledge on Linux and Windows server management!
© 2013 - 2022 Time4VPS. All rights reserved.

Get In Touch