How to close an open DNS resolver

We created it in the previous tutorial DNS The server It's an open DNS Parser . An open parser does not filter any source requests , And will accept from all IP Query for .

-------------------------------------- Split line --------------------------------------

Recommended reading ：

Use BIND To configure DNS The server --- Elementary chapter http://www.linuxidc.com/Linux/2013-05/84920.htm

BIND+DLZ+MySQL intelligence DNS Forward parsing and reverse parsing implementation methods of http://www.linuxidc.com/Linux/2013-04/82527.htm

Domain name service BIND Build and apply configuration http://www.linuxidc.com/Linux/2013-04/82111.htm

Ubuntu BIND9 Pan domain name resolution configuration http://www.linuxidc.com/Linux/2013-03/81928.htm

CentOS 5.2 Lower installation BIND9.6 http://www.linuxidc.com/Linux/2013-02/79889.htm

-------------------------------------- Split line --------------------------------------

Unfortunately , Open parsers can easily become an attack target . such as , An attacker can open to DNS The server Launch a denial of service attack (DoS) Or worse Distributed Denial of service attacks (DDoS). These can also be related to IP Deceptive combination , Point the response packet to the victim's cheated IP Address . On other occasions it is called DNS Enlarge the attack , Open DNS The server It's easy to be the target of attack .

according to openresolverproject.org, Unless it is necessary , It is unwise to run an open parser . Most companies want their DNS The server Open only to their customers . This tutorial will just focus on how to configure a DNS The server makes it stop open parsing and respond only to valid clients .

Adjust the firewall

because DNS Running on the UDP Of 53 On port , System management may try to allow only from 53 Port client IP Address , And block the remaining Internet ports . Although it can work , But there will be some problems . Since the root server is connected to DNS Server communication also uses 53 port , We have to make sure that UDP 53 Ports are allowed .

An example of a firewall is shown below . For production servers , Make sure that your rules match your requirements and comply with the company's safety system .

1. # vim firewall-script
2. ## existing rules are flushed to start with a new set of rules ##
3. iptables -F
5. iptables -A INPUT -s A.A.A.A/X -p udp --dport 53-j ACCEPT
6. iptables -A INPUT -s B.B.B.B/Y -p udp --dport 53-j ACCEPT
7. iptables -A INPUT -s C.C.C.C/Z -p udp --dport 53-j ACCEPT
9. iptables -A INPUT -p udp --dport 53-j DROP
11. ## making the rules persistent ##
12. service iptables save

Make the script executable and run it .

1. # chmod +x firewall-script
2. # ./firewall-script

Prevent recursive queries

DNS Queries can be mainly divided into recursive queries and iterative queries . For recursive queries , The server will respond to the client's reply or error message . If the reply is not in the cache of the server , The server will communicate with the root server and obtain an authorized domain name server . The server will keep querying until the result is obtained , Or request timeout . For iterative queries , On the other hand , The server will point the client to another server that may be able to handle , Then it will reduce the processing of the server itself .

We can control how to run recursive queries IP Address . Our modification is located in /etc/named.conf And add / Modify the following parameters .

1. # vim /etc/named.conf
2. ## we define ACLs to specify the source address/es ##
3. acl customer-a{ A.A.A.A/X;};
4. acl customer-b { B.B.B.B/Y; C.C.C.C/Z;};
6. ## we call the ACLs under options directive ##
7. options {
8. directory "/var/named";
9. allow-recursion { customer-a; customer-b;};
10. };

Adjust the firewall for the open parser

If you have to run an open parser , I suggest you adjust your server properly , So it won't be used .smurfmonitor The repository provides a powerful set of iptables The rules , For example, stop from DNS Amplify the domain name resolution request of the attack . The warehouse will be updated regularly , Strongly recommended DNS Server administrators use it .

in general , For openness DNS Parser The attack of is very common , Especially for those without proper safety protection DNS For servers . This tutorial delays how to disable an open DNS The server . We also saw how to use iptables In an open DNS Add a layer of security protection to the server .

I hope it works for you .