Protecting The DNS server against DDOS
If you are managing a dns server with bind, your server might encounter such attacks. You will need to harden your DNS server (bind) using the below steps.
Check the /etc/hosts.conf and place this line, so that it prevents hostname spoofing.
Now in /etc/named.conf
Disable recursion
Disable upward referrals (refuse referring to root servers) In the file Prevent spoofing add
Prevent spoofing
In order to prevent spoofing, consider to use-id-pool to generate random message id to make guessing harder.
Disable Glue fetching
Besides these, be sure to disable notifications and zone transfers in your dns server.
Restrict zone transfers and notifications
If you are managing a dns server with bind, your server might encounter such attacks. You will need to harden your DNS server (bind) using the below steps.
Check the /etc/hosts.conf and place this line, so that it prevents hostname spoofing.
PHP:
nospoof on
Disable recursion
PHP:
Options {
...
recursion no;
...}
PHP:
additional-from-cache no;
In order to prevent spoofing, consider to use-id-pool to generate random message id to make guessing harder.
PHP:
use-id-pool yes; (only for Bind 8.x)
PHP:
fetch-glue no;
Restrict zone transfers and notifications
PHP:
acl “trusted” {
XX.xx.xx.xx;
YY.YY.YY.YY;
};
allow-notify { trusted; };
allow-transfer { trusted; };