Resolved Open DNS resolver in Plesk opens up for reflection attacks?

[andreios]

I live in Germany and got an mail today from the "Bundesamt für Sicherheit in der Informationstechnik (BSI)" stating that my IP servers an open DNS resolver and I should fix this issue because this can be used for reflection attacks.
In named.conf I see this in the options section:

options {
        allow-recursion {
                any;
        };
                listen-on-v6 { any; };
        version "none";
        directory "/var";
        auth-nxdomain no;
        pid-file "/var/run/named/named.pid";
};

Is allow-recusion for all addresses really needed?

And how do I modify the options section in the right way?

Plesk Help Center

support.plesk.com

When I understand right according to this article I just have to add in options setting:

hostname none;

And in this way I can override and set any options in the options section and it won't be removed by Plesk?

And what are the best settings to prevent reflection attacks?

My Bind Version:
BIND 9.16.1-Ubuntu (Stable Release)
Ubuntu 20.04.2 LTS

 

[andreios]

I found posts even from 2006 where this issue is already stated. But I couldn't find any official looking answer from Plesk for this.
How is it possible that Plesk has no interests in solving this issue for such a long period oft time?

named.conf / BIND configuration insecure by default

Hi, I think Plesk's named.conf config should be more secure !!! It doesn't close recursive DNS by default .. so BIND is running as an open-DNS server. This makes it very vulnerable to be used in DDOS attacks. So there should be a 'recursion no;' in named.conf's 'options' directive...

talk.plesk.com

 

[andreios]

As I could find the answer inside this forum, I may found the answer here.

Configuring DNS Server-wide Settings

Configuring the Recursive DNS Plesk allows you to configure its DNS server to provide the recursive service for quer...

docs.plesk.com