Turning off bind named recursion on a CentOS server and so avoiding an open resolver

Turning off recursion in Bind is incredibly tricky across RedHat versus Ubuntu distributions. The reason for this is there are so many directories and configuration files to keep track off. Furthermore some of these configuration files include other configuration files so you end up having to browse and scan multiple files to get to a basic setting.

This article is about finding Bind settings on an older CentOS 7 server. After many years of this server running it was found via top that named was consuming 1 to 2 to 3 GB of RAM. The entire machine which is a LAMP server was falling over:

Tasks: 192 total, 3 running, 189 sleeping, 0 stopped, 0 zombie
%Cpu(s): 5.9 us, 5.9 sy, 0.0 ni, 82.4 id, 0.0 wa, 0.0 hi, 3.9 si, 2.0 st
KiB Mem : 6109156 total, 1456248 free, 2567376 used, 2085532 buff/cache
KiB Swap: 8388604 total, 5303172 free, 3085432 used. 2528620 avail Mem

13040 ...
23619 named 20 0 1573564 1.0g 2496 S 12.5 18.0 226:02.57 named

Here are some of the directories to keep track of:

/var/named (lots of .hosts files)

/etc/named (empty)

/var/named/data (log files of /var/log/messages on bind showing hug log file growing

/etc/ (named.conf and other named. files)

Now where is this illusive recursion setting?

Finding the recursion setting wasn’t that hard:

// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
   listen-on port 53 {

listen-on-v6 port 53 {

directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file  "/var/named/data/named.recursing";
secroots-file   "/var/named/data/named.secroots";
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
- If your recursive DNS server has a public IP address, you MUST enable access
   control to limit queries to your legitimate users. Failing to do so will
   cause your server to become part of large scale DNS amplification
   attacks. Implementing BCP38 within your network would greatly
   reduce such attack surface

recursion yes;
Spoiler alert: Having recursion yes might only mean that your /24 can resolve the names, not the world.

One we have found it, and since this is actually an authoritative server, we need to:

  1. Find a good script / public service to show us it’s open
  2. Close it
  3. Make sure authoritative checking still works

Bash Open Resolver Tester


if [ "$#" -ne 1 ]; then
   echo "Usage: $0 <IP_prefix>"
   exit 1


for i in {40..254}; do

# Use dig to query cnn.com against the DNS resolver
result=$(dig +timeout=${timeout_value} +short @${ip} cnn.com)

# Check if the result times out or is empty
if [[ "$result" =~ "connection timed out" || -z "$result" ]]; then
   echo "Not an open resolver ${ip}";
   echo "Open resolver: ${ip}"





Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top