Page 1 of 1

[Solved] How to disallow DNS servers responding to recursive queries?

Posted: 2024-03-17 19:56
by 818erm9x1
Hi all,

According to the German CERT-Bund Reports, DNS Open-resolvers can be abused for DDoS reflection attacks against third parties. They describe a simple test to discover if a server has this issue. One can execute the following command (replacing the IP with the server IP which we want to test)

Code: Select all

$ dig @
An open resolver allowing recursive queries will return a response with status NOERROR, whereas an open resolver not allowing recursive queries will return a response with status REFUSED.

One of my servers, which uses Debian 12.5, has a DNS open resolver. However, I don't know how to avoid the open resolver. Some instructions say I should modify the BIND configuration. However, it seems BIND is not installed on the server:

Code: Select all

$ aptitude show bind9
Package: bind9                    
Version: 1:9.18.24-1
State: not installed
How can I disallow recursive queries?

How can I disallow the open resolver? I think I don't need it.

Re: How to disallow DNS servers responding to recursive queries?

Posted: 2024-03-18 18:33
by reinob
You'd first need to find out which resolver you have installed in that server. Common options are bind (which you say you don't have) and unbound.

Note that you dig test returns NOERROR if the server ( provides a result. This doesn't say anything about whether it allows or not recursive queries (but normally the whole point of a resolver is that it resolves recursively), so it's not clear to me where you think there is a problem.

Obviously, you can run your recursive resolver (I have one in my home network, and some of my computers have their own recursive resolver). As long as you don't let outsiders use it, there is no problem. So this is more a fireall configuration issue.

But maybe I'm misunderstanding what (you think) the problem is.

Re: How to disallow DNS servers responding to recursive queries?

Posted: 2024-03-18 19:11
by 818erm9x1
Thank @reinob for your answer. I also don't know which resolver I have installed. I don't have unbound installed because I got the following information with aptitude:

Code: Select all

root@degu02:~# aptitude show unbound
Package: unbound                                         
Version: 1.17.1-2+deb12u2                                
State: not installed 
I got the following answer:

Code: Select all

$ dig @X.X.X.X
; <<>> DiG 9.18.24-1-Debian <<>> @X.X.X.X
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9300
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1232
;			IN	A


;; AUTHORITY SECTION:		3600	IN	NS		3600	IN	NS		3600	IN	NS		3600	IN	NS		3600	IN	NS

;; Query time: 36 msec
;; SERVER: X.X.X.X#53(X.X.X.X) (UDP)
;; WHEN: Mon Mar 18 19:59:35 CET 2024
;; MSG SIZE  rcvd: 172
So, I followed your suggestion and I use the UFW firewall to disable the access to the port 53 from outside. This solves the problem :D

Re: How to disallow DNS servers responding to recursive queries?

Posted: 2024-03-18 20:34
by reinob
Maybe you could log in to your DNS server (the X.X.X.X in your last message) and run (as root)

Code: Select all

netstat -plutn | grep 53
this will show which process is listening on port 53 (DNS).

If you post here the output, it may help to identify what kind of service/server is running.

Common DNS servers are bind, unbound, and dnsmasq.
(probably systemd-resolved too, but I don't think it'd listen to requests from other computers, but you never know..)

Re: How to disallow DNS servers responding to recursive queries?

Posted: 2024-03-19 06:24
by 818erm9x1
Thank you again! Your last answer was very useful. With netstat, I noticed that the DNS server was dnsmasq. Then, I added `no-resolv` to the configuration as described on However, this also disables the resolver from internal connections and from containers (which breaks some applications). Thus, in my opinion, the best solution is using the firewall.

Re: How to disallow DNS servers responding to recursive queries?

Posted: 2024-03-20 07:59
by Aki
818erm9x1 wrote: 2024-03-19 06:24 Thank you again! Your last answer was very useful. With netstat, I noticed that the DNS server was dnsmasq. Then, I added `no-resolv` to the configuration as described on This also solves the issue.
I'm glad you sorted it out. :)

Please, mark the discussion as "solved" manually adding the text tag "[Solved]" at the beginning of the subject of the first message (after other tags, if any); i.e. :
[Solved] How to disallow DNS servers responding to recursive queries?
Happy Debian !