Close an Open DNS

Clara - VPS Hosting Team

The terms "Open" and "Closed" are now used to describe DNS servers in the following manner:

Open DNS: A DNS server that accepts recursive queries from any external source. This means anyone, anywhere, can use your DNS server to handle recursive queries, whether for legitimate or malicious purposes.

Closed DNS: A DNS server that accepts recursive queries only from a designated, trusted group of clients.

What was once considered a helpful, community-driven action—running an Open DNS—can now, unintentionally, expose both you and others to several risks:

1. Denial of Service (DoS) Attacks: Malicious users can send random domain queries to your DNS, overwhelming it and causing excessive traffic that clogs the network.

2. DoS Amplification Attacks: By sending domain-specific queries, attackers can turn your DNS into a tool that amplifies the effects of a broader DoS attack on a specific target.

3. Cache Poisoning: Attackers can manipulate your DNS server by sending targeted queries, potentially controlling the traffic that leaves your server and spoofing harmful responses.

To protect your installation, implement the following techniques where applicable:

Block incoming DNS (port 53) queries for caching or forwarding-only DNS servers using a firewall.
If you're running an authoritative-only server, prevent recursion by adding this line in the global options section:

# inhibit all recursion
recursion no;

Additional Notes:

1.BIND 9.4 introduced the allow-query-cache statement to limit inadvertent Open DNS resolvers. By default, it shares the same values as allow-recursion. It's important to avoid defining both allow-recursion and allow-query-cache together. Stick to one to maintain clarity in your configuration.

In BIND 9.4, if recursion yes; is present (or is the default) without limiting recursion, allow-query-cache { localnets; localhost; }; is automatically applied. This restricts recursive queries to the server’s local host and local LAN hosts.
BIND 9.4 also introduced new statements like allow-query-on, allow-recursion-on, and allow-query-cache-on, which allow for defining server interfaces. These can simplify query limit settings, especially for multi-homed servers.