DNS resolvers that allow requests from all IP addresses and are exposed to the internet can be vulnerable to attacks and may be used to conduct Denial of Service (DoS) attacks on behalf of malicious actors. This essentially turns your server into an unwitting facilitator for large-scale attacks. A common form of such an attack is the Distributed Denial of Service (DDoS) through a DNS amplification attack.

In this attack method, the attacker sends a DNS name lookup request to an open DNS server by spoofing (or faking) the source IP address of the DNS request. As a result, the response is not sent back to the computer that initiated the request but is directed to the victim.

The open DNS resolver, failing to verify the query IP address, forwards a large DNS cache file to the victim’s IP address. The attack persists as long as the attacker continues to send fake queries. This is termed “amplification” because the spoofed requests demand all available information about the requested DNS zone, resulting in a response that is 10 to 20 times larger in size. As a result, a significant amount of traffic is generated with minimal effort.

Checking for an Open Resolver:

You can perform a simple test from your command shell.

dig +short test.openresolver.com TXT @your-vps-ip-address

If it’s open, the response will show “open-resolver-detected.”

How to Close an Open DNS Resolver:

1. One method is to restrict incoming DNS queries using a firewall.

2. If you run an authoritative-only name server:

Open your DNS server’s main configuration file with a text editor (this example assumes you are using BIND).

vi /etc/named.conf

Add the following lines to disable recursion.

options

     allow-query-cache none;

     recursion no;

;

Then restart the name server:

/etc/init.d/named restart