After the installation and configuration of the caching DNS server, if the server can be accessed at an external (white) address, you should check that the server responds only to requests from trusted hosts (clients). If the server responds to requests from all hosts, this server is called DNS Open Resolver.
The risk exists that DNS Open Resolver can be exploited by attackers to perform various types of attacks:
- Loading the server with random DNS requests, blocking the channel with traffic. This can cause a denial of service (DoS) and make the DNS service inaccessible to other users.
- Sending special requests to a server with a fake source IP address in order to organize an attack on a third host that involves your server. DNS Open Resolver will send responses to this spoofed address, which can lead to a high volume of network traffic aimed at the victim of the attack. Such an attack is called DNS Amplification.
- Replace responses to your server with false data that will get into the cache (Cache Poisoning). When a client computer accesses a DNS server that is compromised this way, it may obtain false or malicious IP addresses for domain names.
Information
A caching DNS server is a server that processes recursive client requests.
Recursive and iterative DNS requests
On receiving a recursive request, the server either returns an answer to the request or an error message. The server performs all data searching and querying of other servers. In case of receiving an iterative request, the server can return the address of another server rather than the answer, and then the client will forward this request to the specified server.
On receiving a recursive request, the server either returns an answer to the request or an error message. The server performs all data searching and querying of other servers. In case of receiving an iterative request, the server can return the address of another server rather than the answer, and then the client will forward this request to the specified server.
How to check if a server is open
You can check if your server is open to recursive requests at https://openresolver.com/.
Or with commands that perform requests to DNS:
dig +short @XXX.XXX.XXX.XXX mysite.ru
host mysite.ru XXX.XXX.XXX.XXX
nslookup mysite.ru XXX.XXX.XXX.XXX
As XXX.XXX.XXX.XXX
enter the IP address of the server to be checked. The example name is mysite.ru, you can check any.
If the request gives an IP address when requested from any host, then your server is DNS Open Resolver.
How to turn off or limit access to only authorized hosts/networks
- Limit access to the server port (udp/53) on the network perimeter, or locally on the DNS server itself.
- If you want the server to be responsible for only one or a few specific zones, you can turn off recursive queries by adding the
“recursion no;”
option to thenamed.conf
configuration file (named.conf.local
or other, depending on your settings). - Enable recursive requests for trusted networks/hosts only, example:
“allow-recursion { localhost; 10.16.0.0.0/16; };”
(10.16.0.0.0/16
— replace with trusted addresses).