As a system administrator, it is your responsibility to make sure that DNS servers are configured correctly. In this tutorial I want to show you how to secure the DNS servers preventing as an open recursive resolver.
Open recursive resolver means that your DNS servers become public DNS so any hosts can resolve any domains using your DNS servers. Beside that your DNS will load highly, open resolver DNS also can be used for an attack, something that every system administrators don’t want this to happen.
Here are the steps on how to prevent BIND DNS as an open resolver:
1. In the named.conf configuration file, create an access control list (ACL) and define a limited set of hosts that should be allowed to respond. Query from outside of these hosts will be refused. Let’s say the ACL name is ‘allowed_hosts’.
acl allowed_hosts {
11.22.33.0/21; 44.55.66.0/23; 77.88.99.0/19;
};
2. In the ‘options’ section, set the allow_query value ‘allowed_hosts’ as below:
options {
version "Hidden";
directory "/var/named";
allow-query { allowed_hosts; };
recursion yes;
recursive-clients 5000;
forwarders { 8.8.8.8; 8.8.4.4; };
};
3. If there are zone domains hosted inside the servers, you need to set “allow-query” to “any” for each zone.
zone “example.com” in {
type master;
allow-transfer { slave_hosts ; } ;
file “conf/com/example.com”;
allow-query { any; };
};
4. Restart the BIND and try to test resolving domain names using the DNS server configured above.
Test using ‘nslookup’ command from outside of allowed_hosts.
$ nslookup > server 11.22.33.100 Default server: 11.22.33.100 Address: 11.22.33.100#53 > google.com Server: 11.22.33.100 Address: 11.22.33.100#53 ** server can't find google.com: REFUSED
Test using ‘dig’ command from outside of allowed_hosts.
$ dig @11.22.33.100 google.com ; <<>> DiG 9.8.3-P1 <<>> @11.22.33.100 google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<
If everything configured correctly, you should get status ‘REFUSED’ if testing from outside of allowed_hosts.