HOWTO Closed vs Open DNS

The terms Open and Closed are now used to describe DNS servers in the following context:

  1. Open DNS: is a DNS that will accept recursive queries from external locations. Essentially anyone, anywhere can use your DNS to handle recursive queries for genuine or malicious reasons.

  2. Closed DNS: is a DNS that will accept recursive queries only from an identified (and hopefully trusted) set of clients.

Somewhat similarly to Open Mail Relays, Open DNSs are not a good thing in this modern world. What used to be a friendly and neighbourly action, an Open DNS, may now be - inadvertently - placing yourself and others at risk for three major reasons:

  1. DoS attacks: by sending random domain queries to your DNS the bad guys can cause your DNS to become extremly busy and clog up the Internet with useless traffic.

  2. DoS amplification attacks: by sending domain specific queries the bad guys can cause your DNS to become part of (amplify the effect of) a wider DoS attack on a particular site.

  3. Cache Poisoning: by sending specific queries the bad guys can dictate or control the traffic that leaves your site and thus attempt to spoof responses with nasty and pernicious stuff.

In general, the rule should be:

If your DNS does not need to be available to the world, that is, you are not an ISP or a generous human being, then limit recursive (or all) queries to your DNS using any of the following techniques.

Close the DNS

Use as many of the techniques described here as are appropriate to your installation.

Note: All the sample files included throught this guide use one or more of the techniques described.

  1. Inhibit incoming DNS (port 53) queries for caching or forwarding only DNS servers using a firewall

  2. If you run an authoritative only server you should already be preventing recursion by using the following line in a global options clause:

    # inhibit all recursion
    recursion no;
    
  3. If you run master or slave domains limit the scope of recursion by adding the following statement to the global options clause:

    # use an appropriate local address scope statement
    # to limit recursion requests to local users
    allow-recursion {192.168.2.0/24;};
    
    # OR if the DNS server's IPs and netmasks cover the whole 
    # local network you can use:
    allow-recursion {"localnets";};
    
  4. If you run only a caching or forwarding DNS then limit the scope of all queries by adding the following statement to the global options clause:

    # use an appropriate local address scope statement
    # to limit all query requests to local users
    allow-query {192.168.2.0/24;};
    
    # OR if the DNS server's IPs and netmasks cover the whole 
    # local network you can use:
    allow-query {"localnets";};
    

Pro DNS and BIND by Ron Aitchison

Contents

tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 dns records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfc's
change log