What is an 'Open DNS Resolver'?


An open DNS resolver is a DNS server that resolves recursive DNS queries from anybody on the internet.

DNS Open-resolvers can be abused for DDoS reflection attacks against third parties. Running an open (UDP) service is not wrong on its own. Unfortunately, hackers have also found this feature valuable in doing a particular type of DDoS attack called an "amplification attack" For further information please observe: https://en.wikipedia.org/wiki/Denial-of-service_attack



Solution / Recommended action

Disable recursion or limit recursion to trusted clients in the DNS server's configuration.

We politely ask you to reconfigure your DNS server to only allow DNS queries from trusted sources or, if you don't actually use it, to disable the service entirely.


Solving DNS recursion in Windows Server
  • Once you are logged into the server you will need to open the 'DNS manager'.
  • Right-click on the preferred DNS server and select 'Properties'.
  • Next, select the 'Advanced' tab.
  • Check the 'Disable recursion' box in Server options and click ok.
  • The open DNS resolver on this DNS server is now disabled.

For Windows users, I would like to propose to test their domain using the following tool at http://www.intodns.com/



Solving DNS recursion in Linux

If you need the DNS resolver we politely ask you to only allow access from your own trusted sources, this can be accomplished by creating a firewall rule which allows traffic to port 53/udp from your particular IP addresses/network.

Oftentimes, you will be using IPTables as it's installed by default so it would presumably look like the following example:

Code:
iptables –A INPUT –p udp –s xxxx.xxxx.xxxx.xxxx/24 --dport 53 –d xxxx.xxxx.xxx.xxxx
(The -d stands for destination so this is where you ideally would like to fill in your DNS servers IP.)

If you are using BIND (named) as an authoritative name server, it should not allow recursion, add the following lines to the bottom of /etc/named.conf

options {
allow-query-cache { none; };
recursion no;
};
Finally, when everything is configured you can restart the service and test if it runs by issuing the following command:

Code:
dig example.com @your_dns_ip +short
If you don't receive a response/answer you know that recursive DNS is blocked for all untrusted sources.



An open resolver allowing recursive queries will return a response like this, followed by a set of DNS records:

; <<>> DiG 9.8.1-P1 <<>> cert-bund.de @192.168.45.67
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43941
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0


A DNS server not allowing recursive queries will instead respond with an error message like this:

; <<>> DiG 9.8.1-P1 <<>> cert-bund.de @192.168.45.67
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 42022
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available