2

If i was to create a DNS server that is hosted at my home, so then i can use it for my VPS servers; am I creating any security threat that can be abused by unknown clients from around the globe?

TL;DR: If i set-up a DNS server, is it safe to open port 53 to the internet?

Bumba laga
  • 23
  • 2
  • Not an answer to your question (it has been perfectly answered already), but an additional comment: you can have your server assessed by the Shadowserver Foundation: https://dnsscan.shadowserver.org/ . They will send you reports containing the amplification threat of your server. – Shlublu Sep 29 '17 at 20:03

2 Answers2

3

There are some attack methods (especially Dos/DDoS) using DNS Servers such as; DrDoS and DNS Amplification but there are also ways to strengthen your DNS Server and the connection between server and VPSs.

  • DNSCrypt is one of them (and I highly suggest you to use it by default) used especially for preventing DNS Spoofing.
  • Also, I suggest you to install and configure a good firewall on your server (Windows Firewall on Windows and ufw on Linux can be used) which allow only your VPS IP addresses to access your DNS server; other incoming traffic should be 'denied' by default. If you want not only your VPS Servers but also others may send a DNS request, you may use Limit option to set limits to prevent excessive traffic.
  • IPS and IDS applications/programs can be also used to detect and prevent some attack vectors but they mostly require a little technical knowledge. Snort, Surricata and Bro IDS.
  • At the end, you may want to use a log management and monitoring system (there are dozens of log management and monitor system available both open source and paid ones).

Note: There are some readings that you may use it to develop your understanding about DNS Server security practices:

  1. https://technet.microsoft.com/en-us/library/cc770432(v=ws.11).aspx
  2. https://www.sans.org/reading-room/whitepapers/dns/security-issues-dns-1069
  3. https://www.cisco.com/c/en/us/about/security-center/dns-best-practices.html
  4. What can and can't a malicious DNS do?
  5. Listing of DNS vulnerabilities
  6. https://insights.sei.cmu.edu/sei_blog/2017/02/six-best-practices-for-securing-a-robust-domain-name-system-dns-infrastructure.html
JackSparrow
  • 229
  • 2
  • 9
0

An improperly configured DNS server can be used inside a DNS amplification attack to attack other systems. Apart from that the DNS server itself might have security problems which can be for example used for code execution and from there to attacking your internal network. See for example the list of CVE for bind, one of the major DNS server implementations.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465