After installing and configuring a caching DNS server, if the server is available at an external (white) address, it is necessary to check that it responds only to queries from trusted hosts (clients). In case the server responds to queries from all hosts, such a server is called DNS Open Resolver.
There is a risk that DNS Open Resolver could be used by attackers to conduct various types of attacks:
- Load the server with random DNS queries, clogging the channel with traffic. This can lead to denial of service (DoS) and unavailability of DNS service for other users.
- Send special queries to a server with a spoofed source IP address to launch an attack against a third host involving your server. DNS Open Resolver sends responses to this spoofed address, which can result in a large amount of network traffic directed at the victim of the attack. This attack is called DNS Amplification.
- Substitute responses to your server with false data that will end up in the cache (Cache Poisoning). When a client computer accesses a DNS server that is compromised in this way, it may receive false or malicious IP addresses for domain names.
Note
A caching DNS server is a server that handles recursive client requests.
Recursive and iterative DNS queries
When receiving a recursive request, the server returns either a response to the request or an error message. The server takes care of all data retrieval and polling of other servers. When receiving an iterative request, the server may return the address of another server instead of the answer, and then the client will redirect this request to the specified server.
How to check if a server is open
To check if your server is open to recursive requests, go to https://openresolver.com/.
Or by commands that perform queries to DNS:
dig +short @XXX.XXX.XXX.XXX mysite.ru
host mysite.ru XXX.XXX.XXX.XXX
nslookup mysite.ru XXX.XXX.XXX.XXX
As XXX.XXX.XXX.XXX specify the IP address of the server to be checked. In the example the name is mysite.ru, you can check any.
If the query yields an IP address when queried from any host, then your server is DNS Open Resolver.
How to disable or restrict access to only trusted hosts/networks
- Restrict access to the server port (udp/53) on the network perimeter, or locally on the DNS server itself.
- If the server should only be responsible for one or a few specific zones, you can disable recursive requests by adding the
“recursion no;”option to the named.conf configuration file (named.conf.localor other, depending on your settings). - Allow recursive requests only for trusted networks/hosts, for example:
“allow-recursion { localhost; 10.16.0.0.0/16; };”(10.16.0.0.0/16— replace with trusted addresses).