In recent times, it seems that there is a new form of Dos (denial of service) attack, targeted towards dns servers. The attacker sends a dns query packet with a spoofed IP and your server will keep on sending responses to the victim.
More information about this attack is documented in this page.
If you are running a dns server with bind, your server might encounter such attacks. You will need to harden your DNS server (bind) using the below steps.
1. Open your /etc/hosts.conf and place this line, so that it prevents hostname spoofing.
nospoof on
2. Open your /etc/named.conf
(i) Disable recursion
Options {
...
recursion no;
...}
(ii) Disable upward referrals (refuse referring to root servers)
Place these line within options (like above)
additional-from-cache no;
(iii) Prevent spoofing
Inorder to prevent spoofing, conside use-id-pool to generate random message id to make guessing harder.
use-id-pool yes; (only for Bind 8.x)
(iv) Disable Glue fetching
fetch-glue no;
Besides these, be sure to disable notifications and zone transfers in your dns server.
(v) Restrict zone transfers and notifications
acl “trusted” {
11.22.33.44;
55.66.77.99;
};
allow-notify { trusted; };
allow-transfer { trusted; };
