Last updated: 
2 months 2 weeks ago
Blog Manager
We are the Computer Security and Incident Response Team (CSIRT) for the Janet network. Part of Jisc's Security Operations Centre, our mission is to safeguard the current and future network security of Janet (steering the security policies for all Janet connections) and of our customers, creating a secure environment to conduct your online activities. Our primary function is monitor and resolve any security incidents that occur on the Janet network, with specialists tracking a range of platforms, including Unix, Linux and Windows.

Simple ways to improve your DNS resilience and security: #4 Open DNS Resolvers

Thursday, June 26, 2014 - 10:10

Time to move from the mechanics and policy of DNS replication to a new topic. Within the global DNS there are two roles that a server can play: ones that hold data - nameservers, and ones that fetch that data for clients - resolvers. Nameservers need to provide their data to the entire Internet whereas resolvers serve a small set of client systems.

Some DNS software allows you to configure both roles on the same server, providing  on authoritative information on some domains as a nameserver for the entire Internet, but also acting as a resolver for internal clients by applying access control rules to the functionality of the server.

DNS is (primarily) a UDP based protocol. Many network providers perform little filtering of outbound traffic and so it is often trivial to spoof a DNS query to a resolver with a false source IP address. The results of that query are then returned to the false IP. It's also trivial to construct a DNS query that returns results far larger than the query - in practice usually 40 to 60 times larger.

Someone wishing to perform a denial of service attack can find a number of DNS resolvers accessible over the Internet and combine the amplification with spoofed queries to return large volumes of traffic towards the target of the attack. It it therefore important that you do not unnecessarily expose DNS resolver functionality to the Internet. Doing so places other Internet users at risk.

You should configure your DNS server to only expose nameserver and resolver functions to their intended audiences. Many DNS implementations allow you to configure access control rules, others will require you to run the different functions on different servers. Further guidance is available.