Check DNS Server for Security against Amplification Attacks

Please Note:

The text on this page was translated by translation software. A revised version from our editors will be available soon.

For Server-products with administration rights

This is how you find out whether third parties could use or misuse your server for a DNS amplification attack.

You can find out whether the current setting is incorrect by having your server resolve a host name. If the resolution succeeds, you should adjust your server configuration. If the name resolution fails, you do not have to do anything else.

Please note: For the test to be meaningful, it must not take place on the server itself. Instead, use a computer with a regular Internet connection (DSL, cable, etc.) - for example your home PC.

Checking under Windows

On Windows operating systems, please proceed as follows:

Step 1

Press the Windows key + R.

Step 2

Type cmd and press Enter.

step 3

Enter the command nslookup www.ionos.ca [IP address of your root server] and confirm your entry with Enter.

An example:

nslookup www.ionos.ca 123.123.12.123 
Step 4

Now get an output similar to

NoNon-authoritative answer:
Name: www.ionos.ca
Address: 212.227.17.105

this means that your server responds to the request and is vulnerable to amplification attacks. In such a case you should adjust your DNS configuration as described under this link.

Step 5

If the output is similar to

*** Unknown can't find www.ionos.ca: Query refused

or only one (or more) timeout(s) are reported to you, you do not have to do anything else.

Testing under Linux or Mac OS

Step 1

Open a terminal (console).

Step 2

Enter the command host www.ionos.ca [IP address of your root server], for example

host www.ionos.ca 123.123.12.123 
step 3

Get an output similar to

>www.ionos.ca has address 212.227.17.105

this means that your server responds to the request and is vulnerable to amplification attacks. In such a case you should adjust your DNS configuration as described under this link.

Step 4

However, get an output similar to

Host www.ionos.ca not found: 5(REFUSED) 

you don't have to do anything else, because your DNS refuses to answer the request.