Adjusting DNS to secure servers against DDoS attacks

DNS open recursion service can be used to conduct malicious attacks on a network. This can
occur when the default setting for DNS services is not adjusted upon installation. When used
maliciously, the service can send Distributed Denial of Service (DDoS) attacks by a third party
with malicious intentions. This can be prevented by adjusting your DNS settings. Choose your
operating system (Windows or Linux) and follow the instructions below:

Windows

Disable recursion on the DNS server: http://technet.microsoft.com/en-

us/library/cc787602%28v=ws.10%29.aspx

Then rename the 'root hints cache file' to prevent reference to the root zones being used for DNS
amplification attacks:

- Open the folder %systemroot%\system32\dns and rename cache.dns to cache.dns.orig

- Once these modifications are complete, you must restart the DNS service.

Plesk

1) Log in to your Plesk Panel as admin.

2) On the left menu, select "Server Management > Tools & Settings" section (previously called
"Server").
3) In the main panel, select "DNS Template Settings" (previously called "DNS Settings".
4) Select the DNS Recursion Tab.
5) Select the Deny option and click the Set button to complete the operation.

Linux

Edit the file /etc/named.conf and change the below variables in the "options{" section to secure
your DNS service:

version "unknown";
allow-transfer {none;};
allow-recursion {none;};
allow-query-cache {none;}; // for BIND 9.4+
recursion no;
additional-from-cache no;

Once these modifications are complete, you must restart the DNS service.

If you must use DNS recursion to provide service to your customers, iWeb requires that you
restrict the usage scope to localhost, localnets, and/or your customers IP ranges.

Windows servers running DNS open recursion can use Windows firewall to limit access to
DNS service and prevent from being exploited.

DNS TCP/UDP incoming firewall settings/rules:

*Local IP*: any
*Remote IP - /These IPs:/* Add all of your trusted IPs (other
servers of your network).
If the server has a Windows Active Directory
domain, you will have to add the source IPs that use this service.

Bind under Windows Plesk (allowing localhost and localnets)

1) Connect to your dedicated server.

2) From the Start menu, click Run, and enter the following command:

notepad "%plesk_dir%dns\etc\named.user.conf"

3) Modify the file to set allow-recursion to localnets instead of any.

4) Save and close the file. The options settings will looks like:

options { allow-transfer { localhost; localnets; }; allow-recursion { localhost; localnets; };

listen-on-v6 { none; }; version none; additional-from-cache no; };

5) Restart "named" service. From the Start menu, as administrator, click Run and run "cmd",
then type the following command in the command prompt:

net stop named && net start named

Other BIND advanced settings under Linux (allowing localhost, localnets and specific IPs)

acl "trusted"{
192.168.0.0/16; // change IPs as required
xx.15.128.0/19; // change IPs as required
localhost;
localnets;
};

options{
...
allow-query { trusted; }; // trusted could be replaced by any only if necessary
allow-transfer { trusted; };
allow-recursion { trusted;} ;
allow-query-cache { trusted; }; // for BIND 9.4+
additional-from-cache no;
...
};

----------------------

You can test your IPs with the following methods:

dig +noall +comment @<IP>

(flags: qr rd ra; means open recursive )
nmap -Pn --script=dns-recursion -sU -p53 <IP>
(you will have the following text if the DNS is open recursive: |_dns-recursion: Recursion
appears to be enabled)