Understanding and Securing Open DNS and NTP Resolvers

Welcome to our guide on open DNS and NTP resolvers

If your router or network device has been flagged as having an open resolver, it could be at risk of being exploited by cybercriminals for attacks like DDoS (Distributed Denial of Service).
Don't worry—we're here to help you understand the issue and secure your setup step by step. As a Vox customer, you can use our free scanning tools to check your network before and after making changes. This ensures everything is fixed properly.

Quick Glossary of Key Terms

We've kept things simple, but here are some acronyms you might see:

• ACL (Access Control List): A set of rules on your router or firewall that decides what network traffic is allowed or blocked, based on things like IP addresses or ports. It's like a bouncer at a club door.
• VIP (Virtual IP Address): An IP address that's not tied to one specific device. It's often used in setups like port forwarding to direct traffic from the internet to a device inside your network.
• NAT (Network Address Translation): A way for multiple devices on your home or office network to share one public internet IP address. It keeps your internal devices hidden and secure.

What is an Open DNS Resolver and How to Secure It

An open DNS resolver is like an unsecured phone book for the internet—anyone can query it to look up website addresses, which can be abused to overwhelm websites in attacks.
If our scan identified your router as one, here's how to fix it safely:

• Disable DNS Recursion: Stop your router from answering DNS questions from outside your network. Limit it to only handle requests from your own devices (internal networks).
• Set Access Controls (ACLs): Restrict who can use your DNS service. Only allow trusted IP addresses, like those from your home or office network.
• Update Firewall Rules: Block incoming DNS traffic on port 53 from the internet, unless you've specifically approved it.
• Disable Unused DNS Services: If you don't need the DNS feature on your router, turn it off completely. Or, set it to only work internally.
• Keep Router Firmware Updated: Check for and install the latest updates from your router manufacturer. These often include security fixes.
• Disable NAT/VIP Statements: Remove any rules that forward port 53 traffic from the internet to an internal device.

If you're unsure about any step, contact our Vox support desk—they'll guide you through it.

What is an Open NTP Resolver and How to Secure It

NTP stands for Network Time Protocol, which keeps clocks in sync across devices. An open NTP resolver means anyone on the internet can query your device for time info,
which attackers can amplify into massive DDoS attacks. If our scan flagged this, follow these steps:

• Restrict NTP Access: Limit queries to your internal or trusted networks only. Block all external requests that aren't from your organization.
• Disable NTP Monlist / Control Queries: Turn off advanced features like "monlist" or "ntpdc" queries, as these are common targets for abuse.
• Set Access Controls (ACLs): Use rules on your router or firewall to control access to UDP port 123 (the NTP port) from outside networks.
• Update Firewall Rules: Block incoming and outgoing NTP traffic on UDP port 123 to untrusted sources. Only sync with reliable, approved NTP servers (like those from pool.ntp.org).
• Disable Unused NTP Services: If your router doesn't need NTP (e.g., if another device handles time sync), shut it down entirely.
• Keep Router Firmware Updated: Regularly apply firmware updates to patch vulnerabilities, including NTP-related ones.
• Disable NAT/VIP Statements: Look for and remove any forwarding rules exposing UDP port 123 to the internet. Restrict them to internal use.

As always, our Vox support team is ready to assist if needed.

How to Check and Validate Your Fixes with Our Tools

We make it easy to verify your network's security:

• Before Fixing: Use our free online scanner at https://as11845.tech/openresolvercheck Enter your public IP or run the tool directly to detect open resolvers.
• After Fixing: Run the same scan again to confirm the issues are resolved. You'll get a clear report showing "All Clear" for DNS and NTP.
• Why it matters: This before-and-after validation ensures no vulnerabilities remain and gives you peace of mind.

If the scan still shows issues or you're a Vox customer needing hands-on help, reach out to our support desk at support@vox.co.za or call 087 805 0000.
We're committed to keeping your network safe!