An open DNS resolver is a DNS server that responds to recursive DNS queries from any IP address on the internet. Open DNS resolvers are abused for conducting DDoS reflection/amplification attacks against third parties on a daily basis.

To overcome this problem, this article presents how to disable open DNS resolvers on Windows (and only allow resolving for specific IPs), by following the actions below.

1. Disable the DNS Recursion on your server

• Log in to your server and open the “DNS Manager”.

• Right-click on the preferred DNS server and select “Properties”.

• Select the “Advanced” tab and check the “Disable recursion” box in “Server options”.

• Click “Apply” and “OK”.

2. Block external DNS requests using a built-in Windows Firewall.

Because Windows DNS does not allow you to limit the addresses to which recursive DNS requests are answered, Microsoft recommends this solution.

• Log in to your server and open the Windows Firewall with Advanced Security.

• Select the “Inbound Rules”.

• Select the “DNS rules (TCP and UDP)”, and add the following IP addresses in the “Remote IP address” column:

• 127.0.0.1
• Any public IP address assigned to your server.
• Any internal IP address assigned to your server (if you are using an internal network).