Hi,
I received a mail from my host provider
that my DNS server is used to attack other sites.
Is my server hacked?
What can I do about it?
DNS-server used in DDOS attack
Re: DNS-server used in DDOS attack
I think your host provider is referring to Domain Name Server (DNS) amplification attack.
This does not mean that your server has been hacked.
In short; a Domain Name Server (DNS) amplification attack is a distributed denial of service (DDoS) that uses normal DNS response traffic to overwhelm a victims server.
More information can be found on this site:
http://www.us-cert.gov/ncas/alerts/TA13-088A
your DNS server probably needs too reply on DNS request of your domain or the sub-domains.
like www.yoursite.com, mail.yoursite.com, ...
but not too find the ip-address of yahoo.com, fo example.
The easiest solution is to disable recursion,
so your server will not try too find the ip-address of domains it doesn't know.
Bind9
Add the following to the global options in /var/named/chroot/etc/named.conf
Microsoft DNS Server
In the Microsoft DNS console tool:
Right-click the DNS server and click Properties.
Click the Advanced tab.
In Server options, select the Disable recursion check box, and then click OK.
There are other options to limit the (mis)use of your DNS-server.
But this one should stop most of it.
you can test your DNS-server with dig:
should give you the ip-addres
should respond with a denied request.
This does not mean that your server has been hacked.
In short; a Domain Name Server (DNS) amplification attack is a distributed denial of service (DDoS) that uses normal DNS response traffic to overwhelm a victims server.
More information can be found on this site:
http://www.us-cert.gov/ncas/alerts/TA13-088A
your DNS server probably needs too reply on DNS request of your domain or the sub-domains.
like www.yoursite.com, mail.yoursite.com, ...
but not too find the ip-address of yahoo.com, fo example.
The easiest solution is to disable recursion,
so your server will not try too find the ip-address of domains it doesn't know.
Bind9
Add the following to the global options in /var/named/chroot/etc/named.conf
Code: Select all
options {
allow-query-cache { none; };
recursion no;
};Microsoft DNS Server
In the Microsoft DNS console tool:
Right-click the DNS server and click Properties.
Click the Advanced tab.
In Server options, select the Disable recursion check box, and then click OK.
There are other options to limit the (mis)use of your DNS-server.
But this one should stop most of it.
you can test your DNS-server with dig:
Code: Select all
dig yoursite.com @ip-of-dns-serverCode: Select all
dig yahoo.com @ip-of-dns-serverCode: Select all
WARNING: recursion requested but not availableRe: DNS-server used in DDOS attack
Thanks,
I changed the config file and restarted the named-server
I changed the config file and restarted the named-server