The terms Open and Closed are now used to describe DNS servers as follows: Open DNS : A DNS that accepts recursive queries from external locations, allowing anyone anywhere to use it for genuine or malicious purposes. Closed DNS : A DNS that only accepts recursive queries from an identified (and hopefully trusted) set of clients. What used to be a friendly and neighborly action, an Open DNS, may now inadvertently place yourself and others at risk for three major reasons: DoS Attacks : Malicious users can send random domain queries to your DNS, causing it to become extremely busy and clog up the Internet with useless traffic. DoS Amplification Attacks : Malicious users can send domain-specific queries, causing your DNS to amplify a wider DoS attack on a particular site. Cache Poisoning : Malicious users can send specific queries to control the traffic leaving your site, attempting to spoof responses with malicious content. To mitigate these risks, use the appropriate techniques for your installation: Inhibit incoming DNS (port 53) queries for caching or forwarding only DNS servers using a firewall. If you run an authoritative-only server, you should already be preventing recursion by using the following line in a global options clause: # inhibit all recursion recursion no; if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Notes : BIND 9.4 introduced the allow-query-cache statement to limit Open DNS resolvers. It defaults to the same values as allow-recursion . Avoid defining both allow-recursion and allow-query-cache to maintain clarity. Use one or the other. Since BIND 9.4, if recursion yes; is present or defaulted with no limits on recursion, then allow-query-cache {localnets; localhost;}; is defaulted. This only permits recursive queries from the server's host (localhost) or any local LAN connected hosts (localnets). BIND 9.4 also introduced allow-query-on , allow-recursion-on , and allow-query-cache-on statements. These allow defining the server interface, simplifying query limit definitions in multi-homed servers.

Close an Open DNS

The terms Open and Closed are now used to describe DNS servers as follows:

Open DNS: A DNS that accepts recursive queries from external locations, allowing anyone anywhere to use it for genuine or malicious purposes.
Closed DNS: A DNS that only accepts recursive queries from an identified (and hopefully trusted) set of clients.

What used to be a friendly and neighborly action, an Open DNS, may now inadvertently place yourself and others at risk for three major reasons:

DoS Attacks: Malicious users can send random domain queries to your DNS, causing it to become extremely busy and clog up the Internet with useless traffic.
DoS Amplification Attacks: Malicious users can send domain-specific queries, causing your DNS to amplify a wider DoS attack on a particular site.
Cache Poisoning: Malicious users can send specific queries to control the traffic leaving your site, attempting to spoof responses with malicious content.

To mitigate these risks, use the appropriate techniques for your installation:

Inhibit incoming DNS (port 53) queries for caching or forwarding only DNS servers using a firewall.

If you run an authoritative-only server, you should already be preventing recursion by using the following line in a global options clause:

  # inhibit all recursion
  recursion no;

Notes:

BIND 9.4 introduced the allow-query-cache statement to limit Open DNS resolvers. It defaults to the same values as allow-recursion. Avoid defining both allow-recursion and allow-query-cache to maintain clarity. Use one or the other.
Since BIND 9.4, if recursion yes; is present or defaulted with no limits on recursion, then allow-query-cache {localnets; localhost;}; is defaulted. This only permits recursive queries from the server's host (localhost) or any local LAN connected hosts (localnets).
BIND 9.4 also introduced allow-query-on, allow-recursion-on, and allow-query-cache-on statements. These allow defining the server interface, simplifying query limit definitions in multi-homed servers.