An Open DNS Resolver is a DNS server that’s willing to resolve recursive DNS lookups for anyone on the internet.

DNS resolvers that allow requests from all IP addresses and are exposed to the internet can be attacked and used to conduct Denial of Service (DoS) attacks on behalf of the abuser. That means you become a silent facilitator for a large scale attack. DNS amplification attack is a popular form of Distributed Denial of Service (DDoS).

The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server. This is done by spoofing (or faking) the source IP of the DNS request such that the response is not sent back to the computer that issued the request, but instead to the victim.

The open DNS resolver fails to check the query IP address and sends the large DNS cached record to the victim’s IP address. The attack continues as long as the attacker sends the fake queries. It is called “amplification” because spoofed requests demands all known information about the requested DNS zone, the size of the response will be 10 to 20 folds larger. So a large traffic is generated with very little effort.

Do you have an open resolver?

You can do a simple test from your command shell.

dig +short test.openresolver.com TXT @your-vps-ip-address

If it is open, it shows “open-resolver-detected” in response

How to Close an Open DNS:

1.         One method is to limit incoming DNS queries using a firewall.

2.         If you run an authoritative only name server:

Open your DNS server’s main configuration file with a text editor (This example assumes that you have BIND)

vi /etc/named.conf

Add the following line to stop recursion.

options {

     allow-query-cache { none; };

     recursion no;

};

Then restart the name server:

/etc/init.d/named restart

You can leave a response, or trackback from your own site.

Leave a Reply