Securing your server against DNS Amplification (DoS) attacks

In recent times, it seems that there is a new form of Dos (denial of service) attack, targeted towards dns servers. The attacker sends a dns query packet with a spoofed IP and your server will keep on sending responses to the victim.

More information about this attack is documented in this page.

If you are running a dns server with bind, your server might encounter such attacks.  You will need to harden your DNS server (bind) using the below steps.

1. Open your /etc/hosts.conf and place this line, so that it prevents hostname spoofing.

nospoof on

2. Open your /etc/named.conf

(i) Disable recursion

Options {
recursion no;

(ii) Disable upward referrals (refuse referring to root servers)

Place these line within options (like above)

additional-from-cache no;

(iii) Prevent spoofing

Inorder to prevent spoofing, conside use-id-pool to generate random message id to make guessing harder.

use-id-pool yes; (only for Bind 8.x)

(iv) Disable Glue fetching

fetch-glue no;

Besides these, be sure to disable notifications and zone transfers in your dns server.

(v) Restrict zone transfers and notifications

acl “trusted” {;;
allow-notify { trusted; };
allow-transfer { trusted; };

Similar Posts:


Prabhu Balakrishnan

I am an entrepreneur and graduate in Computer science engineering, pretty cool chap, blogging since 2005. My interests are Machine learning, Parallel computing, Computer vision, PHP, Wordpress, Linux etc. I like to chill out with travels, video games and a cup of hot coffee. I am born in India, currently living in Budapest, Hungary. Feel free to contact me anytime!

Leave a Reply

Your email address will not be published. Required fields are marked *