Hosting provider warns our DNS server was used in an amplification attack
In DNS amplification an attacker sends small queries with a spoofed source IP to an open recursive resolver, which returns a much larger response to the victim. If your server is in that chain, lock it down for public traffic immediately.
Try this first
- 1Restrict the recursive resolver to your own network: in BIND allow-recursion {trusted;}, in Windows DNS the equivalent scope restriction.
- 2Disable large EDNS responses to unknown sources, or enable Response Rate Limiting (RRL) on your authoritative server.
- 3Set firewall rate-limits on inbound UDP port 53 from the public internet, a few hundred queries per second max.
- 4Check with openresolver.com or dnsinspect.com whether your IP is still on a list of open resolvers.
- 5Where possible move to a managed Anycast DNS (Cloudflare, NS1) so amplification mitigation is no longer your problem.
When to bring us in
If you are a target or source of DNS abuse and abuse emails keep coming, we can help lock down the resolver and clean up the relationship with hosting.
See also
- Domain expires tomorrow and nobody saw the emailAn expired domain doesn't transfer instantly. There's a redemption window, but you pay extra.
- Unsure whether to enable auto-renewDisabling auto-renew only makes sense for domains you'll truly drop. For anything live, just keep it on.
- New registrar asks for auth code, can't find itEPP code or transfer code is the password to move a domain from registrar A to B.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.