Open Resolver Check
DNS amplification attack prevention
What is an Open Resolver?
An open DNS resolver is a DNS server that accepts recursive queries from anyone on the internet, not just authorized clients. This misconfiguration can be exploited for DNS amplification DDoS attacks.
Why is it dangerous?
Open resolvers can be weaponized in DDoS attacks, where attackers send small queries that generate large responses directed at victims. Your server becomes an unwitting participant in attacks.
Impact
Operating an open resolver can lead to bandwidth exhaustion, being blacklisted, potential legal issues, and your infrastructure being used to attack others without your knowledge.
Your DNS Servers
| DNS Server | IP Address | Recursive Queries | Status | Last Checked |
|---|---|---|---|---|
| ns1.example.com Primary Nameserver | 192.0.2.1 | Restricted | Secure ✓ | 1 hour ago |
| ns2.example.com Secondary Nameserver | 192.0.2.2 | Restricted | Secure ✓ | 1 hour ago |
Test Results
- DNS Servers Tested2
- Open Resolvers Found0
- Recursive QueriesProperly Restricted
- External Query TestRefused (Correct Behavior)
- Amplification RiskNone
- Last CheckDecember 3, 2025 - 11:45 AM
How DNS Amplification Attacks Work
Attacker's Spoofed Request
Attacker sends small DNS query (60 bytes) to your open resolver with spoofed source IP of victim. The query asks for large DNS records (ANY, TXT, etc.).
Amplified Response
Your open resolver processes the request and sends large response (up to 4,000 bytes) to the victim's IP, amplifying attack traffic by up to 70x.
Victim Overwhelmed
Attacker repeats with thousands of open resolvers simultaneously. Victim receives massive unsolicited DNS traffic, causing bandwidth exhaustion and service disruption.
Your Server Implicated
Your server appears as the attack source in logs. You may face bandwidth costs, blacklisting, abuse complaints, and potential legal action - all without knowing you're involved.
DNS Query Types
Authoritative
SafeServer only answers queries for domains it's authoritative for. This is the correct configuration for public DNS servers.
- Only answers own domains
- Cannot be used in amplification
- Recommended for public servers
Recursive (Restricted)
AcceptableServer performs recursive lookups but only for authorized clients (your network). Access control lists (ACLs) restrict who can use recursion.
- Limited to trusted clients
- ACL-protected
- Safe for internal use
Open Recursive
DangerousServer performs recursive lookups for anyone on the internet. This is a critical security vulnerability that must be fixed immediately.
- Accepts queries from anyone
- Amplification attack vector
- Must be fixed immediately
How to Secure Your DNS Server
- Determine your DNS server software (BIND, Unbound, PowerDNS, Microsoft DNS, etc.).
- For BIND: Edit named.conf and restrict recursion:options {
recursion no; // Disable for authoritative-only servers
// OR for recursive servers with ACL:
allow-recursion { 192.168.1.0/24; 10.0.0.0/8; };
allow-query { any; }; // Authoritative queries still work
}; - For Unbound: Configure access control:server:
access-control: 0.0.0.0/0 refuse
access-control: 192.168.1.0/24 allow
access-control: 127.0.0.1/8 allow - For Microsoft DNS: Use DNS Manager to disable recursion or set allowed IP ranges under Server Properties → Advanced tab.
- If your server is authoritative-only (hosting your domains), completely disable recursion.
- If your server needs recursion (internal use), implement strict ACLs limiting to your network only.
- Enable response rate limiting (RRL) to mitigate attack attempts:// BIND RRL example
rate-limit {
responses-per-second 5;
window 5;
}; - Restart DNS service and test configuration:# Linux - BIND
sudo systemctl restart named
# Test from external IP
dig @your-dns-ip google.com - Verify the server refuses recursive queries from external sources.
Secure Configuration Examples
BIND - Authoritative Only:
options { recursion no;
allow-query { any; };
version "not available"; // Hide version
};
allow-query { any; };
version "not available"; // Hide version
};
BIND - Recursive with ACL:
acl trusted {
192.168.1.0/24;
10.0.0.0/8;
localhost;
};
acl trusted {
recursion yes;
allow-recursion { trusted; };
allow-query { any; };
};
192.168.1.0/24;
10.0.0.0/8;
localhost;
};
acl trusted {
recursion yes;
allow-recursion { trusted; };
allow-query { any; };
};
Unbound - Restricted Access:
server:
interface: 0.0.0.0
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
hide-identity: yes
hide-version: yes
interface: 0.0.0.0
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
hide-identity: yes
hide-version: yes
DNS Security Best Practices
- Disable RecursionFor authoritative servers, always disable
- Use ACLsIf recursion needed, strictly limit to trusted networks
- Rate LimitingImplement response rate limiting (RRL)
- Monitor TrafficWatch for unusual query patterns
- Regular TestingTest for open resolver status monthly
- Hide VersionDon't reveal DNS software version
Testing for Open Resolver
Test your DNS server from an external location:
# Test from outside your network
dig @your-dns-server-ip google.com
# Expected result for secure server:
# status: REFUSED (if authoritative-only)
# OR no response (if ACL-blocked)
# BAD result (open resolver):
# status: NOERROR with answer section
dig @your-dns-server-ip google.com
# Expected result for secure server:
# status: REFUSED (if authoritative-only)
# OR no response (if ACL-blocked)
# BAD result (open resolver):
# status: NOERROR with answer section
Use online tools like openresolver.com or dns.measurement-factory.com for comprehensive testing.