Last updated on August 17, 2020 by Sarmed Rahman
The DNS server that we have created in the previous tutorial is an open DNS resolver. An open resolver does not filter any incoming requests, and accepts queries from any source IP address.
Unfortunately, an open resolver can become an easy target to attackers. For example, attackers can initiate a Denial of Service (DoS) or even worse, a Distributed Denial of Service (DDoS) attack on the open DNS server. These attacks can also be combined with IP spoofing, where all the reply packets will be directed to a victim’s spoofed IP address. In another attack scenario called DNS amplification attacks, an open DNS server can actively participate in the attacks.
According to openresolverproject.org, it is not advisable to run an open resolver unless necessary. Most companies keep their DNS servers accessible to only their customers. This tutorial will focus on how to configure a DNS server so that it stops being an open resolver and responds only to valid customers.
As DNS runs on UDP port 53
, system admins may attempt to allow port 53
for client IP addresses only, and block the port from the rest of the Internet. Though this will work, there are going to be some problems. Since the communication between the root servers and the DNS servers use port 53
as well, we have to make sure that the IP addresses of the root servers are also allowed on UDP port 53
in the firewall.
A sample firewall script is provided below. For production servers, make sure that the rules match your requirements and also comply with company security policies.
# vim firewall-script
## existing rules are flushed to start with a new set of rules ## iptables -F iptables -A INPUT -s A.A.A.A/X -p udp --dport 53 -j ACCEPT iptables -A INPUT -s B.B.B.B/Y -p udp --dport 53 -j ACCEPT iptables -A INPUT -s C.C.C.C/Z -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j DROP ## making the rules persistent ## service iptables save
Make the script executable and run it.
# chmod +x firewall-script # ./firewall-script
DNS queries can be primarily categorized as recursive and iterative queries. For a recursive query, the server responds to the client with either the answer or an error message. If the answer is not available in the server cache, the server communicates with the root servers to obtain authoritative name servers. The servers keeps looking up until it gets an answer, or until the query times out. For an iterative query, on the other hand, the server simply refers the client to another server who would be able to process, thus leading to less processing on the server itself.
We can control the IP addresses that are allowed for recursive queries. We modify the configuration file /etc/named.conf
and add/modify the following parameters.
# vim /etc/named.conf
## we define ACLs to specify the source address/es ## acl customer-a{ A.A.A.A/X; }; acl customer-b { B.B.B.B/Y; C.C.C.C/Z; }; ## we call the ACLs under options directive ## options { directory "/var/named"; allow-recursion { customer-a; customer-b; }; };
If you must run an open resolver, it is recommended that you tune the firewall properly so that your server cannot be exploited. smurfmonitor repository provides a powerful set of iptables
rules that can be used in open resolvers, such as blocking requests for domains involved in DNS amplification attacks. The repository is updated periodically, and it is highly recommended for DNS server admins.
To sum up, attacks on open DNS resolvers are common, especially for DNS servers without proper security. This tutorial demonstrated how to disable an open DNS server. We have also seen how iptables
can be used to add an additional layer of security to an open DNS server.
Hope this helps.
This website is made possible by minimal ads and your gracious donation via PayPal or credit card
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.
Xmodulo © 2021 ‒ About ‒ Write for Us ‒ Feed ‒ Powered by DigitalOcean