The first step in securing a recursive DNS resolver service is determining how your server is being accessed or will be accessed:
- Is my resolver service public or private?
- Public: can be reached over the open internet (public IP address, not restricted)
- Private: cannot be reached over the open internet (private IP address, or ACL restrictions, or a combination)
- Is my resolver service open or closed?
- Open: reachable by, and responds to, queries from any client
- Closed: requires authentication of some sort to be used (for example, IP address, TSIG, or TLS certificate [DoT])
Depending on your company policy or business practice, you may be operating one or more types of resolvers. KINDNS best practices and implementation guidelines for Resolver Operators cover three major categories, reflecting the types of resolver services found on the internet in practice: