Unfortunately, an open resolver can become an easy target to attackers. For example, attackers can initiate a Denial of Service (DoS) or even worse, a Distributed Denial of Service (DDoS) attack on the open DNS server. These attacks can also be combined with IP spoofing, where all the reply packets will be directed to a victim’s spoofed IP address. In another attack scenario called DNS amplification attacks, an open DNS server can actively participate in the attacks.

According to openresolverproject.org, it is not advisable to run an open resolver unless necessary. Most companies keep their DNS servers accessible to only their customers. This tutorial will focus on how to configure a DNS server so that it stops being an open resolver and responds only to valid customers.