Securing your server against DNS Amplification (DoS) attacks

In recent times, it seems that there is a new form of Dos (denial of service) attack, targeted towards dns servers. The attacker sends a dns query packet with a spoofed IP and your server will keep on sending responses to the victim.

More information about this attack is documented in this page.

If you are running a dns server with bind, your server might encounter such attacks.  You will need to harden your DNS server (bind) using the below steps.

1. Open your /etc/hosts.conf and place this line, so that it prevents hostname spoofing.

nospoof on

2. Open your /etc/named.conf

(i) Disable recursion

Options {
recursion no;

(ii) Disable upward referrals (refuse referring to root servers)

Place these line within options (like above)

additional-from-cache no;

(iii) Prevent spoofing

Inorder to prevent spoofing, conside use-id-pool to generate random message id to make guessing harder.

use-id-pool yes; (only for Bind 8.x)

(iv) Disable Glue fetching

fetch-glue no;

Besides these, be sure to disable notifications and zone transfers in your dns server.

(v) Restrict zone transfers and notifications

acl “trusted” {;;
allow-notify { trusted; };
allow-transfer { trusted; };

Similar Posts:


Prabhu Balakrishnan

Mr. Balakrishnan is a leading expert in Global citizenship and residency programs for high net worth immigrant investor clients. He is also entrepreneur with background in Computer science engineering. His other interests are Linux servers, Machine learning, Parallel computing, Computer vision, Wordpress, etc. He is born in India currently living in Budapest, Hungary.