Open Resolver – Securing Bind Server (Archive)

Just like your mail server can be abused if you leave the SMTP relay open, your BIND server can be abused if you have a “OPEN RESOLVER”.

Basically what that means is you leave your DNS server open for queries from any host.  You can learn more about DNS “amplication attacks” here:
http://www.securiteam.com/securityreviews/5GP0L00I0W.html

The fix is pretty simple. Just update your named.conf file with the following lines.

acl mynetworkips {10.1.1.4; 192.168.0.1;};
options {
directory "/var/named";
allow-recursion {mynetworkips;};
allow-query-cache {mynetworkips;};
};

*note – change the IP appress above to your server ip addresses.

You can do the update in Webmin by

Bind DNS Server > Edit Confg File
Once updated, save and ‘apply configuration’ for Bind to update.

Check your update; Bind DNS Server > Access Control List
This should list the IP address you just added.

Open Resolver Test:

http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl/

Open Resolver Test
This tool sends a single “recursion desired” query to one or more target addresses. If the queries are forwarded to our authoritative server, the host has an open resolver running at that address.

Enter up to 10 IPv4 Addresses:

Open Resolver Test from command line:

If you have the dig command on your system, simply run.

#dig +short amiopen.openresolvers.org TXT

should give results like: 

“Your resolver at ip.add.re.ss is CLOSED”