Disable Recursive DNS

disable recursive dns

DNS is used to translate hostnames into IP addresses.  When DNS servers are misconfigured, they can be used to conduct DDOS attacks.  We recommend that all public DNS servers are configured to not permit recursive DNS queries.  This configuration will still allow DNS for your domain names to work properly, but will prevent abuse.

disable recursive dns
On Windows machines, you can disable recursive DNS:
1) Open ‘Server Manager’
2) Expand Roles -> DNS Server -> DNS -> (Your Server’s Name)
3) Right click on your server name, choose Properties
4) On the ‘Advanced’ tab, select ‘Disable recursion (also disables forwarders)’
5) Click OK

On Linux machines, there are a few common DNS servers:

BIND:
1) Open your BIND configuration file
2) In the ‘options’ section, make sure you have ‘recursion no;’ and ‘additional-from-cache no;’
3) Restart BIND after making any changes

DNSMasq:
Unfortunately, there is not a straight forward way to disable this within DNSMasq.  You would either need to modify the DNSMasq configuration so that it no longer listens on public IP addresses, or firewall off UDP port 53 to all hosts except your desired ones.

If for some reason you cannot make the necessary changes and you are not hosting your own DNS, we would suggest that you firewall off all incoming UDP port 53 traffic.

Please see https://blog.cloudflare.com/reflections-on-reflections for more information on reflection attacks.