#1 The remote DNS server is vulnerable to cache snooping attacks.
Description : The
remote DNS server responds to queries for third-party domains which do
not have the
recursion bit set. This may allow a remote attacker to determine which
domains have recently
been resolved via this name server, and therefore which hosts have
been recently visited. For
instance, if an attacker was interested in whether your company
utilizes the online services of a
particular financial institution, they would be able to use this
attack to build a statistical model
regarding company usage of that financial institution. Of course, the
attack can also be used
to find B2B partners, web-surfing patterns, external mail servers, and
more...
#2 The remote name server allows recursive queries to be performed by
the host
running the test server. Description : It is possible to query the
remote name server for third
party names. If this is your internal nameserver, then forget this
warning. If you are probing a
remote nameserver, then it allows anyone to use it to resolve third
parties names (such as
www.securitymetrics.com). This allows hackers to do cache poisoning
attacks against this
nameserver. If the host allows these recursive queries via UDP, then
the host can be used to
'bounce' Denial of Service attacks against another network or system.
See also :
http://www.cert.org/advisories/CA-1997-22.html Solution: Restrict
recursive queries to the
hosts that should use this nameserver (such as those of the LAN
connected to it).
I am not a DNS expert, but this seems to be a catch-22. In order to
fix #1, I need to force recursion for third-party domains. #2 requires
that I disable recursion. I have read up on snooping (which makes
sense) and poisoning (which doesnt) and I ended up just confused. Can
anyone at least point me in the right direction? Thanks in advance.
Norm
Note: The server is 2003 Standard dedicated solely to DNS.
Thanks for your help James!
There is one other thing that I am still slightly confused about. I
have 2 public and 2 private DNS servers. The public is authoritative
for the domains that we host, and the internal serves the workstations
and web/DB servers.
I would like the internal servers to query the public servers for
requests that we are authoritative on while still allowing third-party
domains to resolve. I am guessing that I add the public servers to the
list of forwarders on the internal servers in front of our upstream
dns servers. Will this work if the public servers have recursion
disabled?