mail us  |  mail this page

contact us
training  | 
tech stuff  | 

HOWTO Close an Open DNS

The terms Open and Closed are now used to describe DNS servers in the following context:

  1. Open DNS: is a DNS that will accept recursive queries from external locations. Essentially anyone, anywhere can use your DNS to handle recursive queries for genuine or malicious reasons.

  2. Closed DNS: is a DNS that will accept recursive queries only from an identified (and hopefully trusted) set of clients.

Somewhat similarly to Open Mail Relays, Open DNSs are not a good thing in this modern world. What used to be a friendly and neighbourly action, an Open DNS, may now be - inadvertently - placing yourself and others at risk for three major reasons:

  1. DoS attacks: by sending random domain queries to your DNS the bad guys can cause your DNS to become extremly busy and clog up the Internet with useless traffic.

  2. DoS amplification attacks: by sending domain specific queries the bad guys can cause your DNS to become part of (amplify the effect of) a wider DoS attack on a particular site.

  3. Cache Poisoning: by sending specific queries the bad guys can dictate or control the traffic that leaves your site and thus attempt to spoof responses with nasty and pernicious stuff.

In general, the rule should be:

Always limit recursive (or all) queries to your DNS using any of the techniques on this page.

Close the DNS

Use as many of the techniques described here as are appropriate to your installation.

  1. Inhibit incoming DNS (port 53) queries for caching or forwarding only DNS servers using a firewall

  2. If you run an authoritative only server you should already be preventing recursion by using the following line in a global options clause:

    # inhibit all recursion
    recursion no;
    
  3. If you run master or slave domains and also provide recursive services on the same server (hybrid servers) then limit the scope of recursion by adding the following statement to the global options clause:

    # use an appropriate local address scope statement
    # to limit recursion requests to local users
    allow-recursion {192.168.2.0/24;}; // change IPs as required
    
    # OR if the DNS server's IPs and netmasks cover the whole 
    # local network you can use:
    allow-recursion {"localnets";};
    
  4. If you run only a caching or forwarding DNS then limit the scope of recursive queries by adding the following statement to the global options clause:

    # use an appropriate local address scope statement
    # to limit all query requests to local users
    allow-recursion {192.168.2.0/24;}; //change IPs as required
    
    # OR if the DNS server's IPs and netmasks cover the whole 
    # local network you can use:
    allow-recursion {"localnets";};
    
  5. If you run only permit recursive queries from localhost (such as in a personal resolver) then add the following statement(s) to the global options clause:

    # hard limits on reading
    listen-on {127.0.0.1;}; // or listen-on {localhost;};
    listen-on-v6 {::1;};    // OR listen-on-v6 {localhost;};
    
    # OR 
    allow-recursion {"localhost";};
    

Notes:

  1. All the sample files included throught this guide use one or more of the techniques described.

  2. BIND 9.4 introduced a new statement allow-query-cache in an attempt to limit the number of, perhaps inadvertant, Open DNS resolvers. allow-query-cache defaults to the same values as allow-recursion. Beware: It is permitted to define both allow-recursion and allow-query-cache statements. Avoid this like the plague. Use one or the other if you want to retain your sanity.

  3. Since BIND 9.4 in configurations where recursion yes; is present or is defaulted and no limits are placed on recursion then allow-query-cache {localnets; localhost;}; is defaulted. The effect of this is to only permit recursive queries from the server's host (localhost) or any local LAN connected hosts (localnets).

  4. BIND 9.4 also introduced a new set of statements, allow-query-on, allow-recursion-on, allow-query-cache-on. In all cases the -on statements allow definition of the server interface and may greatly simplify query limit definition in multi-homed servers.

  5. It is always possible to limit recursive queries even if the IP address ranges are very fragmented (use an acl clause if appropriate). Never be tempted to use allow-recursion {any;};. There awaits ruin and madness in equal measure.



Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Pro DNS and BIND by Ron Aitchison

Contents

tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 zone records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfcs
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox

Search

web zytrax.com

Share

share page via facebook tweet this page

Page

email us Send to a friend feature print this page Decrease font size Increase font size Display full width page

Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux

Software

LibreOffice
OpenOffice
Mozilla
GitHub
GNU-Free SW Foundation
get-dns

Organizations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

Site

CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2017 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by super.net.sg
web-master at zytrax
Page modified: October 21 2015.