I received a ticket stating that one of my Linodes is running an Open DNS Resolver. What does this mean, and what should I do about it?

Linode Staff

I received an Open Resolver Notification ticket, but I'm not sure how to fix this.

1 Reply

Receiving this ticket means that we have either detected or received a report that your Linode is recursively resolving DNS requests for the public internet.

The main issue here is that this type of configuration allows your Linode to be used in DNS amplification attacks, since anyone can use it to resolve recursive DNS queries. We recommend reading more about DNS amplification attacks at the following links:

You can use a tool like nmap or dig, or a website like openresolver.com to check if your Linode is allowing recursive DNS lookups:

To resolve this issue, you should disable DNS recursion or limit recursive lookups to trusted addresses only so that your server can not be abused. For example, if you are running BIND 9 you can adjust your global named.conf file to contain the following options:

options {
recursion no;
additional-from-cache no;
allow-query { none; };

This will disable recursive lookups. If you need to allow recursive lookups, you should configure ACLs for trusted addresses in your named.conf.options file like so, substituting the addresses as needed:

    acl authorized {

Then, adjust your named.conf file to only allow queries from the addresses in your ACLs:

options {
recursion yes;
additional-from-cache no;
allow-query { authorized; };

Finally, you should restart the BIND service to pull in the changes, e.g.:
sudo systemctl restart bind9


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct