Securing your server against DNS Amplification (DoS) attacks

In recent times, it seems that there is a new form of Dos (denial of service) attack, targeted towards dns servers. The attacker sends a dns query packet with a spoofed IP and your server will keep on sending responses to the victim.

More information about this attack is documented in this page.

If you are running a dns server with bind, your server might encounter such attacks.  You will need to harden your DNS server (bind) using the below steps.

1. Open your /etc/hosts.conf and place this line, so that it prevents hostname spoofing.

nospoof on

2. Open your /etc/named.conf

(i) Disable recursion

Options {
...
recursion no;
...}

(ii) Disable upward referrals (refuse referring to root servers)

Place these line within options (like above)

additional-from-cache no;

(iii) Prevent spoofing

Inorder to prevent spoofing, conside use-id-pool to generate random message id to make guessing harder.

use-id-pool yes; (only for Bind 8.x)

(iv) Disable Glue fetching

fetch-glue no;

Besides these, be sure to disable notifications and zone transfers in your dns server.

(v) Restrict zone transfers and notifications

acl “trusted” {
11.22.33.44;
55.66.77.99;
};
allow-notify { trusted; };
allow-transfer { trusted; };

Similar Posts:

Tags:

Prabhu Balakrishnan

I am cool and friendly internet entreprenur blogging since 2005. My interests are wordpress, PHP, linux servers, SEO and travel. Besides computers, i am crazy for video games, travel and a cup of hot coffee! I am born in Coimbatore, India but i currently live in Budapest, Hungary. Feel free to contact me folks!

Leave a Reply

Your email address will not be published. Required fields are marked *


× six = 12

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Please wrap all source codes with [code][/code] tags. Powered by