mail us  |  mail this page

contact us
training  | 
tech stuff  | 

BIND 9 Support

Open DNS - Bad Idea

DNS for Rockets Scentists contains additional, and more current, stuff on this topic.

Security and Paranoia. We sometimes get the two concepts a little mixed up. Some folks get up-tight about allowing AXFR of their zones files. Personally I don't - the data in a public (as opposed to private zone data in a stealth configuration) is meant to be public. Trying to hide information in the DNS is somewhat like pushing water up hill - possible but not very effective in the long term.

My reasons for inhibiting AXFR (and IXFR) operations from anything apart for slaves is because I am persuaded that it can be used as part of a DoS attack not because of privacy considerations.

First let's define an Open DNS - it is a DNS that will accept recursive queries from external locations. Essentially anyone, anywhere can use your DNS to handle recursive queries for genuine or malicious reasons.

I am now persuaded that Open DNS caches are a bad idea - for reasons of DoS attacks and because there is the increased risk of cache poisoning. Somewhat similarly to Open Mail Relays, Open DNSs are not a good thing in this modern world. What used to be a friendly and neighbourly action, an Open DNS, may now be - inadvertently - placing others at risk. In general, I think the rule should be:

If your DNS does not need to be available to the world i.e. you are not an ISP or a generous human being, then limit recursive (or all) queries to your DNS using any of the following techniques.

  1. Inhibit incoming DNS (port 53) queries for caching or forwarding only DNS servers using a firewall

  2. If you run master or slave domains limit the scope of recursion by adding the following statement to the global options clause:

    # use an appropriate local address scope statement
    # to limit recursion requests to local users
    allow-recursion {;};
  3. If you run only a caching or forwarding DNS then limit the scope of all queries by adding the following statement to the global options clause:

    # use an appropriate local address scope statement
    # to limit all query requests to local users
    allow-query {;};

Both the DNS for Rocket Scientists guide and the files in the book reflect this change.

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Pro DNS and BIND by Ron Aitchison


tech info
guides home
dns articles
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
5 install bind
6 samples
7 named.conf
8 zone records
9 howtos
10 tools
11 trouble
12 bind api's
13 dns security
bits & bytes
15 messages
notes & tips
registration FAQ
dns resources
dns rfcs
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox




Icons made by Icomoon from is licensed by CC 3.0 BY
share page via facebook tweet this page


email us Send to a friend feature print this page Display full width page Decrease font size Increase font size



Debian Linux


GNU-Free SW Foundation


Open Source Initiative
Creative Commons


Ibiblio - Library
Open Book Project
Open Directory


CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2022 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by
web-master at zytrax
Page modified: January 20 2022.