After the installation and configuration of the caching DNS server, if the server can be accessed at an external (white) address, you should check that the server responds only to requests from trusted hosts (clients). If the server responds to requests from all hosts, this server is called DNS Open Resolver.

The risk exists that DNS Open Resolver can be exploited by attackers to perform various types of attacks:

  • Loading the server with random DNS requests, blocking the channel with traffic. This can cause a denial of service (DoS) and make the DNS service inaccessible to other users.
  • Sending special requests to a server with a fake source IP address in order to organize an attack on a third host that involves your server. DNS Open Resolver will send responses to this spoofed address, which can lead to a high volume of network traffic aimed at the victim of the attack. Such an attack is called DNS Amplification.
  • Replace responses to your server with false data that will get into the cache (Cache Poisoning). When a client computer accesses a DNS server that is compromised this way, it may obtain false or malicious IP addresses for domain names.

Information

A caching DNS server is a server that processes recursive client requests.

Recursive and iterative DNS requests

On receiving a recursive request, the server either returns an answer to the request or an error message. The server performs all data searching and querying of other servers. In case of receiving an iterative request, the server can return the address of another server rather than the answer, and then the client will forward this request to the specified server.

On receiving a recursive request, the server either returns an answer to the request or an error message. The server performs all data searching and querying of other servers. In case of receiving an iterative request, the server can return the address of another server rather than the answer, and then the client will forward this request to the specified server.

How to check if a server is open

You can check if your server is open to recursive requests at https://openresolver.com/.

Or with commands that perform requests to DNS:

dig +short @XXX.XXX.XXX.XXX mysite.ru

host mysite.ru XXX.XXX.XXX.XXX

nslookup mysite.ru XXX.XXX.XXX.XXX

As XXX.XXX.XXX.XXX enter the IP address of the server to be checked. The example name is mysite.ru, you can check any.

If the request gives an IP address when requested from any host, then your server is DNS Open Resolver.

How to turn off or limit access to only authorized hosts/networks

  1. Limit access to the server port (udp/53) on the network perimeter, or locally on the DNS server itself.
  2. If you want the server to be responsible for only one or a few specific zones, you can turn off recursive queries by adding the “recursion no;” option to the named.conf configuration file (named.conf.local or other, depending on your settings).
  3. Enable recursive requests for trusted networks/hosts only, example: “allow-recursion { localhost; 10.16.0.0.0/16; };” (10.16.0.0.0/16 — replace with trusted addresses).
1 - 1

DNS

Spelling error report

The following text will be sent to our editors: