How do I secure my DNS resolver against amplification attacks?


When your DNS server resolves a recursive DNS lookup, it tracks down information about a domain name hosted on another DNS server by connecting to other DNS servers.  An open DNS server is a server that resolves recursive DNS lookups for anyone on the Internet. Recursive DNS is essential to the correct functioning of the Web, but it can be open to abuse if it isn’t properly secured.

Attackers are able to exploit unsecured recursive DNS by running a particular type of DDOS attack – the DNS Amplification Attack.

The hacker sends a recursive DNS query through UDP (User Datagram Protocol), with a spoofed IP address (the victim’s IP address) in the IP packet header.

The DNS server then sends a response back to the spoofed IP address.  The response packet may be many times larger than the DNS query packet, amplifying the traffic sent to the victim.

In order to secure your DNS resolver against this type of attack, you should set it to not permit recursion or only accept recursion requests from trusted IPs.

This does not affect being the nameserver for domain names or operating websites.

If you do not need to use your server as a nameserver, then the easiest and safest option is to disable DNS functionality on your server.  Linux distributions typically do not enable a DNS resolver by default, but Windows does.

To disable DNS functionality on your Windows server:

  1. Go into the Server Manager
  2. Click ‘Roles’
  3. Click ‘Remove Roles’
  4. Uncheck the ‘DNS Server’ role
  5. Click ‘Next’
  6. You will be warned that the server needs to be restarted
  7. Click ‘Remove’ to continue
  8. The removal will take place
  9. Click ‘Close’
  10. Restart the server when convenient
  11. The DNS functionality will be removed when you restart

To secure your DNS resolver on Windows (if you want to keep using it as a nameserver):

  1. Go to DNS Manager
  2. Right-click ‘DNS Server’
  3. Click ‘Properties’
  4. Go to the ‘Interfaces’ tab
  5. Select ‘Only the following IP addresses’
  6. Deselect all the IP addresses except for the main IP address
  7. Go to the ‘Advanced’ tab
  8. Select ‘Disable recursion (also disables forwarders)’
  9. Click ‘OK’
  10. Your DNS resolver will now be secured

To secure your DNS resolver on Linux:

  1. Edit /etc/named.conf
  2. Insert the following lines in the global options clause if you are running an authoritative-only server:

# inhibit all recursion
recursion no;

  1. Insert the following lines in the global options clause if you are running a caching or forwarding server:

# allow recursion for known IP addresses only
# use an appropriate added scope statement to limit all query results to trusted users
allow-recursion {192.168.2.0/24}; //Change IPs as required
allow-query {“localhost”,”192.168.2.0/24”};

#personal resolver
allow-recursion {“localhost”;};
allow-query {“localhost”;};

  1. Restart the DNS server after your configuration changes by using this command:

/sbin/service named restart

For Linux users, you can also install BIND, DNS software known for added security.



Article ID: 66
Created On: Tue, Mar 3, 2015 at 4:56 PM
Last Updated On: Wed, Aug 18, 2021 at 3:55 PM

Online URL: https://www.heartinternet.uk/support/article/how-do-i-secure-my-dns-resolver-against-amplification-attacks.html