ZoneCheck

This is quick test to determine if a DNS server is an Open Resolver

DNS servers must only ever answer queries for authoritative domains, and local IP ranges, they must never answer for third parties.
The dangers in not doing so are many and serious, including DDoS attacks.


Enter a DNS Server Address (hostname or IP)
* Names default to IPv4
 

Challenge Response 11 + 6 =

 


Securing DNS Examples

Securing Bind is as easy as adding an ACL, and permitting it in named.conf
acl "trust" { localhost; 10.100.100.0/24; 2001:ffff:ffff:ffff::/64; };

options {
        ...
        allow-query { trust; };
        allow-query-cache { trust; };
        ...
}

Securing Unbound is as easy as adding access-control statements in unbound.conf
server:
	access-control: 0.0.0.0/0 refuse
        access-control: 10.100.100.0/24 allow
        access-control:2001:ffff:ffff:ffff::/64 allow
	...
Copyright © Noel Butler 1994-2019. All Rights Reserved.