Micetro by Men&Mice

Latest versions

Search all documentation

Child pages
  • Open DNS Server - does it matter and how do I secure (close) my server?
Skip to end of metadata
Go to start of metadata


DNS Servers shouldn’t be “open”, they shouldn’t offer recursive DNS name resolution to anyone in the Internet.

CNET.COM has an article on how attackers can misuse these open DNS Servers to launch attacks against other machines in the Internet:

"DNS servers do hackers' dirty work"


Here are the the steps to disable open recursion using the Men & Mice DNS Management System:

To disable or restrict recursion, use the Query Restrictions pane in the server’s Options window. To get there, after you’ve logged in with Men & Mice Management Console, do the following:
  • Click on DNS Servers on the left.
  • Click on your DNS server on the right - not in the list under DNS Servers, but in the right-hand pane.
  • Open the context menu - either right-click or control-click on the server.
  • Select Options.
  • In the window that appears, click on Query Restrictions on the left.
Your server should (probably) offer to resolve queries for local users only. Note that this won’t affect queries coming from other name servers out on the Internet that are asking about data in your zones. You can enter your subnet in CIDR notation, so that the list looks like this:
allow 192.0.2/24
You don’t need to “deny all” after that - it’s the default.

In a plain BIND installation without Men & Mice Management Console, add an “allow-recursion” statement in the “options” block of the “/etc/named.conf” File (BIND Configuration File). The “allow-recursion” statement should then list the networks from where recusive name resolution to the Internet is permitted. This should be local client networks.

Example for the local Class C Network
options {
     directory "/var/named";
     allow-recursion {;; };
If is also possible to use the predefined ACL (Access Controll Lists) of a BIND Nameserver:
localhost - all Network Interfaces on the DNS Server
localnets - all locally attached networks to the DNS Server (caution, for the ACL to work the DNS Servers OS network configuration must be error-free)

options {
     directory "/var/named";
     allow-recursion { localnets; };