Securing DNS against DDOS amplification attacks

When you run a DNS server on your dedicated server, it will be the target DNS amplification attacks.  To prevent these attacks from succeeding and using up your bandwidth (which you will pay for), you need to configure your DNS server not to answer recursive queries.

Check if your server is vulnerable

You can send a DNS query to your server, e.g. “” using dig or nslookup.



> server
Non-authoritative answer:

If you receive an answer that includes an answer of the IP address of, then your server is vulnerable, because it did the work of finding out the answer and presenting it to you.

Secure named (bind) on Linux

Add this to the “options” section of /etc/named.conf :

    recursion no;
    additional-from-auth no;
    additional-from-cache no;

Then restart named so that it will use the new secure options:

    /etc/init.d/named restart

For detailed information see

Secure Microsoft DNS server

If you have installed or enabled Exchange then you have implicitly turned on DNS, which by default runs as a recursive service and can be horribly attacked.  Usually you can just firewall the DNS service.

Run this command:

    dnscmd . /Config /NoRecursion 1

Or follow this procedure:

    Start | Administrative Tools | DNS (DNS manager)
    Right click DNS server | 
        Properties | 
        Advanced | 
        Server options | 
        Disable recursion -> Yes, OK

Unfortunately, it is not possible to prevent the Microsoft DNS server from replying with cached values, so your non-recursive DNS server will provide a small amount of useful traffic amplification for attackers.  Where possible, add a firewall rule that blocks incoming traffic from unauthorised clients towards port 53/UDP (and port 53/TCP for good measure).

iptables rules for Linux

If your DNS server is used only by the machine on which you are running it, you can block external queries as follows:

iptables -A  INPUT -p udp -m udp --dport 53 -i ! lo -j DROP

These iptables firewall rules will to prohibit excessive ANY queries to a non-recursive DNS:

iptables -A  INPUT -p udp -m udp --dport 53 \
   -m string --hex-string "|0000ff0001|"  --algo bm --from 48 --to 65535 \
   -m recent --set --name dnsanyquery  --rsource
iptables -A INPUT -p udp -m udp --dport 53 \
    -m string --hex-string  "|0000ff0001|" --algo bm --from 48 --to 65535 \
   -m recent --rcheck  --seconds 60 --hitcount 5 --name dnsanyquery --rsource \
   -j DROP

If you for some reason have to run an open DNS resolver, you can limit rate limit the rate at which you will accept queries:

iptables -A INPUT -p udp --dport 53 -m hashlimit \
--hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
--hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

If you know what the above means you can install these rules in your system.

Reference information

You can read more about this here:



This entry was posted in Technical Docs. Bookmark the permalink.

2 Responses to Securing DNS against DDOS amplification attacks

  1. naeim says:

    Hi Please tell me the link and I’ll link you

  2. VideoPortal says:

    At the heart of many customers’ concerns is the ability to protect against DDoS attacks. The focus may revolve around customers’ own networks and data, network and data services that customers provide to their own customers, or a combination.

Comments are closed.