Disable BIND9 Recursive DNS Queries to Prevent UDP DDOS Flood Attacks

Sunday, January 12th, 2014

Turn Off BIND9 Recursion

By default, BIND9 is configured to allow recursive DNS queries.  This allows others to use your DNS server to query other domains on your server's behalf.  Unfortunately, recursive DNS queries can be used to amplify a UDP flood DDOS attack.  As such, for a shared web hosting environment, it is best to disable recursive DNS queries.  You can disable BIND9 recursion easily by running the following script:

cd ~/Downloads
wget -N "http://dinofly.com/files/linux/disable_bind9_recursion.tar.gz"
tar -zxvf disable_bind9_recursion.tar.gz
sudo bash disable_bind9_recursion.sh

It should work on all versions of Linux but has been tested and works perfectly on Ubuntu.  You may need to change the path used for the BIND config file.