Open DNS Resolver Being Abused
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
Your DNS server is configured to recursively resolve queries for any source IP on the internet — not just your own network. Attackers are exploiting this open resolver to amplify DDoS attacks: they send small DNS queries spoofed as coming from a victim's IP, and your server responds with large answers directed at the victim, generating 50-100x amplification.
Symptoms
- ⚠ Unusually high outbound DNS traffic (hundreds of Mbps) from your server
- ⚠ DNS query logs flooded with ANY or TXT queries from millions of external source IPs
- ⚠ Your server's upstream bandwidth consumed by DNS responses to random internet IPs
- ⚠ ISP or datacenter notifies you of abnormal DNS traffic violating their acceptable-use policy
- ⚠ Server CPU and memory high due to resolver processing thousands of recursive queries per second
- ⚠ Victim organisations may contact you identifying your IP as part of a DDoS amplification attack
Possible Root Causes
- • DNS server configured with `allow-recursion { any; };` instead of restricting to internal subnets
- • Default configuration of older BIND or dnsmasq versions that allow-all before tightening was common practice
- • Firewall rule allowing UDP port 53 inbound from 0.0.0.0/0 instead of internal network ranges
- • Authoritative-only DNS server accidentally left with recursive resolution enabled
- • Cloud security group or hosting firewall misconfiguration exposing DNS to the public internet
Diagnosis Steps
1. Check if your resolver is open to the internet
# Test from an external host (not your own network)
# If this returns a full answer, your resolver is open
dig @YOUR_SERVER_IP google.com A
# Test the classic amplification vector: ANY query
dig @YOUR_SERVER_IP isc.org ANY +bufsize=4096
# Verify from your own server which IPs are allowed
named-checkconf -p | grep allow-recursion # BIND
grep -i "allow-recursion\|allow-query" /etc/named.conf
grep -i "recursive\|acl" /etc/unbound/unbound.conf
2. Measure current DNS traffic volume
# Count DNS queries per second (press Ctrl+C after a few seconds)
sudo tcpdump -i eth0 -nn port 53 -l 2>/dev/null | pv -l -i 1 > /dev/null
# Show source IPs sending the most DNS queries
sudo tcpdump -i eth0 -nn port 53 -c 10000 2>/dev/null \
| awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -20
# Check current DNS traffic bandwidth
sudo iftop -i eth0 -f "port 53" -n
3. Inspect query types being processed
# For BIND: enable query logging temporarily
rndc querylog on
tail -f /var/named/data/named_querylog | head -500
# For unbound: increase verbosity temporarily
unbound-control verbosity 2
tail -f /var/log/unbound.log | head -500
# For systemd-resolved
journalctl -u systemd-resolved -f | head -100
4. Check if you are listed as an open resolver
# openresolverproject.org maintains a list of known open resolvers
# Check via their website or DNS-based lookup
dig +short TXT openresolver.com @YOUR_SERVER_IP
# If it returns data, you ARE an open resolver
Solution
Step 1: Immediately restrict recursion in your DNS server config
BIND (/etc/named.conf):
options {
// Only allow recursion for your own networks
allow-recursion { 127.0.0.1; 10.0.0.0/8; 192.168.0.0/16; };
allow-query { any; }; // OK for authoritative
allow-query-cache { 127.0.0.1; 10.0.0.0/8; 192.168.0.0/16; };
recursion yes; // Only reachable to allowed-recursion IPs
};
sudo named-checkconf # Validate
sudo systemctl restart named
Unbound (/etc/unbound/unbound.conf):
server:
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
sudo unbound-checkconf
sudo systemctl restart unbound
Step 2: Block UDP port 53 inbound at the firewall
# Drop DNS queries from outside your network
sudo iptables -A INPUT -p udp --dport 53 ! -s 10.0.0.0/8 -j DROP
sudo iptables -A INPUT -p tcp --dport 53 ! -s 10.0.0.0/8 -j DROP
# Save rules
sudo iptables-save | sudo tee /etc/iptables/rules.v4
Step 3: Rate-limit DNS responses to mitigate in-progress abuse
BIND RRL (Response Rate Limiting):
rate-limit {
responses-per-second 5;
window 5;
};
Step 4: Verify the fix
# Test from an external host — should now be refused
dig @YOUR_SERVER_IP google.com A
# Expected: ;; connection timed out; no servers could be reached
Prevention
- Restrict recursion at install time: Any DNS server deployed internet-facing should have
allow-recursion { trusted_nets; };set before the first packet is accepted — this should be part of your server provisioning checklist. - Firewall DNS at the network edge: Even if the DNS daemon is misconfigured, a firewall rule dropping inbound UDP/TCP 53 from untrusted networks is a safety net.
- Enable DNS Response Rate Limiting (RRL): Even for authoritative-only servers, RRL in BIND and NSD limits how many identical responses are sent per second to a single IP, defeating amplification even if queries slip through.
- Audit regularly: Run
dig @YOUR_IP google.comfrom a VPS in another network monthly to confirm your resolver remains closed. - Monitor DNS query rates: Alert when outbound DNS traffic exceeds a baseline — a sudden 10x spike is a strong abuse indicator.