Securing your server against DNS Amplification (DoS) attacks

In recent times, it seems that there is a new form of Dos (denial of service) attack, targeted towards dns servers. The attacker sends a dns query packet with a spoofed IP and your server will keep on sending responses to the victim.

More information about this attack is documented in this page.

If you are running a dns server with bind, your server might encounter such attacks.  You will need to harden your DNS server (bind) using the below steps.

1. Open your /etc/hosts.conf and place this line, so that it prevents hostname spoofing.

nospoof on

2. Open your /etc/named.conf

(i) Disable recursion

Options {
recursion no;

(ii) Disable upward referrals (refuse referring to root servers)

Place these line within options (like above)

additional-from-cache no;

(iii) Prevent spoofing

Inorder to prevent spoofing, conside use-id-pool to generate random message id to make guessing harder.

use-id-pool yes; (only for Bind 8.x)

(iv) Disable Glue fetching

fetch-glue no;

Besides these, be sure to disable notifications and zone transfers in your dns server.

(v) Restrict zone transfers and notifications

acl “trusted” {;;
allow-notify { trusted; };
allow-transfer { trusted; };

Similar Posts:


Balakrishnan Prabhu

Mr. Balakrishnan Prabhu is the founder of Corpocrat magazine. He is also the founder of Best Citizenships (BC), assisting wealthy individuals with with global citizenship and residency programs in Europe. His other interests are Linux, Machine learning, Wordpress, etc. You can contact him here