How to close open BIND-based DNS servers

With DNS Amplifiers being used more and more in DOS type network attacks, we’ve been in contact with customers who have ‘open’ DNS resolvers and servers within Network Presence, but a quick and simple way to “lock down” your BIND based DNS Server is to use something like the named.conf entries listed below, which are in the ‘options’ named.conf section :

options {

allow-recursion {
localhost;
YOURIPADDRESSES;
}
allow-query-cache {
localhost;
YOURIPADDRESSES;
}
allow-transfer {
none;
};

};

Where YOURIPADDRESS is the IP addresses on your VPS or Colo host itself. Please contact us if you’re not sure of all your IP addresses.

Then reload (eg: service named reload or /etc/init.d/named reload commands as root in different Linux distros) or restart your named daemon to get those new settings.

These options will still allow your DNS server to host your own domains, but it’ll stop it being available to resolve domains you don’t host, which is the nature of an ‘open’ DNS resolver or server.

It’s very important now that open DNS servers are closed on the modern Internet.

FYI and regards,
Richard.

This entry was posted in Network Presence, Sales and tagged , , , , . Bookmark the permalink.