How to prevent DNS server as an open recursive resolver

As a system administrator, it is your responsibility to make sure that DNS servers are configured correctly. In this tutorial I want to show you how to secure the DNS servers preventing as an open recursive resolver.

Open recursive resolver means that your DNS servers become public DNS so any hosts can resolve any domains using your DNS servers. Beside that your DNS will load highly, open resolver DNS also can be used for an attack, something that every system administrators don’t want this to happen.

Here are the steps on how to prevent BIND DNS as an open resolver:

1. In the named.conf configuration file, create an access control list (ACL) and define a limited set of hosts that should be allowed to respond. Query from outside of these hosts will be refused. Let’s say the ACL name is ‘allowed_hosts’.

acl allowed_hosts {;;;

2. In the ‘options’ section, set the allow_query value ‘allowed_hosts’ as below:

options {
        version "Hidden";
        directory "/var/named";
        allow-query { allowed_hosts; };
        recursion yes;
        recursive-clients 5000;
        forwarders {;; };

3. If there are zone domains hosted inside the servers, you need to set “allow-query” to “any” for each zone.

zone “” in {
        type master;
        allow-transfer { slave_hosts ; } ;
        file “conf/com/”;
        allow-query { any; };

4. Restart the BIND and try to test resolving domain names using the DNS server configured above.

Test using ‘nslookup’ command from outside of allowed_hosts.

$ nslookup 
> server
Default server:

** server can't find REFUSED

Test using ‘dig’ command from outside of allowed_hosts.

$ dig @

; <<>> DiG 9.8.3-P1 <<>> @
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<

If everything configured correctly, you should get status ‘REFUSED’ if testing from outside of allowed_hosts.