Secure an open recursive DNS server

Follow These Instructions to Lock Your DNS Server Down

These changes restrict recursive and caching lookups to only the IPs blocks listed in the configuration. A recursive look up is when a DNS server gets queried for a domain which it isn’t authoritative, for example if you queried your nameserver for the domain yahoo.com, that would be a non-authorative or recursive lookup.

1. Linux Servers running Bind you need to modify file /etc/named.conf. (Please back up the file before making any changes)

Notice the first line is setup for 127.0.0.1. This will allow the local Linux machine to query locally if the linux machine has nameserver 127.0.0.1 in there to be able to query locally. You could edit these lines and put only your required or preferred subnets to lock down your DNS even further.

options {
 recursion yes;
 allow-recursion { 127.0.0.1/32; };
 allow-query-cache { 127.0.0.1/32; };
}

After the change you need to restart Bind with command “service named restart” or “/etc/init.d/named restart”

2. Windows Servers

For Window Servers, Recursive needs to be disabled on them. If the local dns server is not used for caching, then it needs to be disabled. This is a simple check mark in the DNS servers configuration settings that can avoid all of these issues.

Share on Twitter
Share on Facebook