An open DNS server is a DNS server which is willing to resolve recursive DNS queries for anyone on the Internet.
When a DNS server resolves a recursive DNS query, it tracks down information about a domain name hosted on some other DNS server somewhere else on the Internet (a recursive process involving several other DNS servers in the DNS hierarchy).
Running an open (UDP) service is not bad on its own and it is mostly a required dependancy when installing a system. Unfortunately, hackers have also found this feature useful in performing a special type of DDoS attack called a 'Amplification Attack'.
The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.
That has two effects: the actual source of the attack is hidden and is very hard to trace, and, if many Internet servers are used, an attack can consist of an overwhelming number of packets hitting a victim from all over the world.
But what makes reflection attacks really powerful is when they are also amplified: when a small forged packet elicits a large reply from the server (or servers). In that case, an attacker can send a small packet "from" a forged source IP address and have the server (or servers) send large replies to the victim.
Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet.
In most cases the computer has installed a DNS service as an dependancy as resolving is needed on that computer. However its only required to do local resolving, thus the added 'external access' to this service is unneeded. In such cases we recommend either changing the configuration of your DNS service or to firewall port 53 for external hosts.
If you are running a DNS resolver for multiple computers, then consider to limit access to the required group of computer or implement safegaurds like 'Response Rate Limiting'(DNS-RRL) to prevent a DNS Amplification Attack.
To block incoming remote requests you will need to filter UDP/port 53. You service might also be listening on TCP/port 53, however only UDP services are used in DNS Amplification Attacks.
For BIND 9.x authoritative servers, apply the following global options:
options { recursion no; additional-from-cache no; };
# example only, replace 192.0.2.0/24 a list of your CIDR blocks acl "trusted" { 192.0.2.0/24; }; options { recursion no; additional-from-cache no; allow-query { none; }; }; view "trusted" in { match-clients { trusted; }; allow-query { trusted; }; recursion yes; additional-from-cache yes; };
Please see the following Microsoft TechNet examples:
Disabling recursion on Windows Server 2008 R2 systems
Disabling recursion on older Windows Server systems
Acting as a non-recursive forwarder (See the "Notes" section under the "Using the Windows interface" instructions)