≡ Menu

Find Out: BIND DNS Server Resolver is Open Recursion or Not

How do I test that my BIND dns server is not acting as Open resolvers? How do I test if server is acting as open resolver for abusing the large DNS queries?

A open dns resolver provides name resolution to any clients outside of its LAN / WAN or authoritative domains. Open DNS resolvers are a bad as they are usually involved in attacking DDoS attacks, spoofing, DNS cache poisoning, and much more. It allows eats your network resources and bandwidth. Run the following command to test your BIND DNS (or any other DNS software) server for open recursion:
dig test.example.com @your.ns1.example.net
OR
host test.example.com your.ns1.example.net
In this example, find out if ns1.dnsknowledge.com BIND server for open recursion or not:
dig yahoo.com @ns1.dnsknowledge.com
Sample outputs:

; <<>> DiG 9.7.0-P1 <<>> yahoo.com @ns1.dnsknowledge.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 45893
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;yahoo.com.			IN	A
;; Query time: 305 msec
;; SERVER: 67.228.254.4#53(67.228.254.4)
;; WHEN: Mon Apr 18 23:01:45 2011
;; MSG SIZE  rcvd: 27

The same test using the host command:
host www.yahoo.com ns1.dnsknowledge.com
Sample outputs:

Using domain server:
Name: ns1.dnsknowledge.com
Address: 67.228.254.4#53
Aliases:
Host yahoo.com not found: 5(REFUSED)
{ 0 comments… add one }
Seurity: Are you a robot or human?

Leave a Comment