How do I secure my DNS resolver against amplification attacks?

Modified on Fri, 21 Apr, 2023 at 6:13 PM

Like any service on a dedicated server or VPS, a DNS resolver should be properly secured before being enabled. Linux distributions typically do not enable a DNS resolver by default, while Windows does. 

Running an unsecured DNS resolver is quickly becoming as stigmatised as running an open email relay, due to the prevalence of DDOS DNS amplification attacks. 

An open DNS server is a DNS server which is willing to resolve recursive DNS lookups for anyone on the Internet. 

When a DNS server resolves a recursive DNS lookup, it tracks down information about a domain name hosted on some other DNS server somewhere else on the Internet (a recursive process involving several other DNS servers), meaning that it has to make connections to other servers in order to be able to carry out the request. This is expected behaviour; recursive DNS is essential to the correct functioning of the Web, but is open to abuse if not properly secured; attackers are able to exploit this by performing a special type of DDOS attack called a “DNS Amplification Attack”. 

At a technical level, the concept of this attack is that a hacker sends a recursive DNS query via UDP with a spoofed from-IP-address in the IP packet header to some DNS server. This DNS server then sends a DNS response packet back, not to the hacker, but to the spoofed IP address. This DNS response packet may be many times larger than the DNS query packet, and this way the DNS server amplifies the traffic sent to the victim. 

In order to secure a DNS resolver against this type of attack, it should be made to either not permit recursion, or to only accept recursion requests from trusted IPs. This doesn't affect serving DNS for domains that the server is the designated nameserver for, or the operation of websites

For Windows servers, Microsoft DNS Server is installed by default. Here's how to secure it:- 

To secure the windows DNS server config:- 

* In DNS manager -> Right-click DNS server -> properties -> Interfaces tab 
* Select "Only the following IP addresses" then unselect the all IP addresses. This will stop the DNS server from responding to requests. 
* Go to the Advanced tab 
* Select "Disable recursion(also disables forwarders)" 

If there is a need to run a recursive DNS server, the server's firewall should be configured such that tcp/udp port 53 only allows trusted ip addresses. 

For Linux users (eg CentOS, Ubuntu, Debian), BIND is available and may be installed via a control panel 

To secure it:- 

* Edit /etc/named.conf 

* Insert the following line in the global options clause if you are running an authoritative only server
# inhibit all recursion 
recursion no; 

* Insert the following line in the global options clause if you are running a caching or forwarding server
#Allow recursion for known ip addresses only. 
#use an appropriate address scope statement to limit all query requests to trusted users 
allow-recursion {192.168.2.0/24;}; //change IPs as required 
allow-query {"localhost";"192.168.2.0/24";}; 

#personal resolver 
allow-recursion {"localhost";}; 
allow-query {"localhost";}; 

* You will need to restart the DNS server after any configuration changes:- 

/sbin/service named restart

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article