How to configure your DNS server to prevent hackers from using it to attack the network

Test your server

You can test your server by entering your IP on this page: https://us.ovh.com/us/cgi-bin/tools/dns_security.cgi

Protect your server

.

If you are using BIND

Please edit the named.conf configuration file, which is generally found in one of these locations:

/etc/bind/named.conf
/etc/named.conf
/var/chroot/named/etc/named.conf

Add the following line to the begining of the file:
acl "trusted" { 127.0.0.1; ::1; };
Next, modify the "options" section.
If no such section exist, it might be located in a different file group, usually one of:

/etc/bind/named.conf.options
/etc/named.conf.options
/var/chroot/named/etc/named.conf.options

Once found, add the following line to the "options" section:
allow-recursion { trusted; };
Once the modifications have been completed, they would give, for example:
acl "trusted" { 127.0.0.1; ::1; };
options {
directory "/etc/namedb";
allow-recursion { trusted; };
};
You will have to reload Bind (or restart it) so that the new configuration is applied.

The command to use is, according to your distribution:

/etc/init.d/bind restart
/etc/init.d/named restart
To make sure that your configuration is now correct, relaunch the test via the URL at the start of this guide.
If you are using a very old version of BIND (such as BIND 8.X), these modifications will not suffice to secure your DNS server> In which case, please read the following section.
.

If you are using an old version of BIND

If you do not use your DNS server as an authoritative DNS for your domain zones, you can modify the configuration so that it cannot listen on your server's public IP:
options {
listen-on { 127.0.0.1; };
listen-on-v6 { ::1; };
}
Then reboot BIND again.

If you do use your DNS server as an authoritative DNS, and you have the following lines in one of the BIND configuration files:
zone "." {
type hint;
file "/etc/bind/db.root";
};
They must be disabled, as below:
/*
zone "." {
type hint;
file "/etc/bind/db.root";
};
*/
Then restart BIND. You must then use the OVH cache DNS infrastructure (213.186.33.99) instead of your DNS server to resolve the recursive requests. The modification is found at the file level /etc/resolv.conf.
The file should contain this single line:
nameserver 213.186.33.99
You can then retest the configuration via the URL at the start of this guide.
.

If you use Windows

You will find information on the Microsoft website:
http://technet.microsoft.com/en-us/library/cc770432.aspx

NB - if you host the DNS zones of your domain names AND you want to use your own cache DNS server, you must perform two DNS server instances in order to prevent the cache server from responding publicly.
.

If you do not host the DNS zones of your server

And you are not sure of your configuration, you can deactivate the DNS service and use the OVH cache DNS infrastructure: 213.186.33.99