April 14, 2021
Open DNS resolvers are DNS resolvers that respond to each IP address and can, therefore, be abused for “amplification attacks”. Simply put, an amount of data can be sent to your DNS resolvers (from a spoofed IP) and a significantly larger amount of data is returned. In this way, malicious people can then misuse your resolvers to perform a DDoS attack on the spoofed IP address.
That is why it is very important that you always disable this and only allow resolving for specific IPs / servers, for example from your private network. You can disable the open DNS resolvers as follows:
Log in to your server and click ‘DNS‘ in your Server Manager with the left mouse button. Then click the name of your VPS with the right mouse button and click ‘DNS Manager‘.
DNS management is opened. Click the name of the VPS with the left mouse button in the left menu and then ‘Properties’ with the right mouse button (directly clicking the name of the VPS with the right mouse button does not work).
Click the ‘Advanced’ tab (see the screenshot in step 4).
Check ’Disable recursion‘ and click ‘Apply’.
Open DNS resolvers on your VPS are now disabled.
BIND is most commonly used as a DNS server, but if you use a different DNS server, please consult its documentation. In Bind you disable open DNS resolvers by adding the following lines (as root) in the options section of /etc/named.conf:
First open /etc/named.conf:
nano /etc/named.conf
Under the ‘Options’ section, add the lines:
allow-transfer {"none";};
allow-recursion {"none";};
recursion no;
Save the changes and close the file (ctrl + x > y > enter).
To process the changes, reloading the service suffices:
service bind9 reload
service named reload
Done ! you have disabled your Open DNS resolver.
What a great article! It’s helped me so much.