Questions

DNS Security Issues

+
0 Votes
Locked

DNS Security Issues

philldmc
Recently I had a security audit and the report came back with the following issues.

DNS Server Cache Snooping Remote Information Disclosure
DNS Server Recursive Query Cache Poisoning Weakness

From my understanding to correct these issues I need to adjust the DNS Recursive Query. I seem to have two settings for this. "Do not use recursive for this domain" and "Disable Recursive".

I'm not sure what the difference between the two and how it will affect my internal domain users. I know one disables forwardards. If that is the case how will our clients be able to access the web without any forwarders? Should I close UPD 53 at the firewall level? I not excalty sure how to address this.

We currently have SBS 2003 using Exchange. Any advice would be great!
  • +
    0 Votes
    seanferd

    "DNS Server Recursive Query Cache Poisoning Weakness"

    Update your DNS server to a current release or patchlevel which covers this.

    "DNS Server Cache Snooping Remote Information Disclosure"

    Don't allow anyone outside your network to access your DNS server at all. May require patches if this issue is due to an unpatched vulnerability.

    "Do not use recursive for this domain" and "Disable Recursive".

    The first would be domain-specific. If you only have one domain, then it is effectively (for the LAN) like the latter. The latter would leave your DNS server as authoritative nameserver only. You would probably not want to do either of these, as I imagine you have a recursive DNS server for a reason.

    Unless, of course, the auditor is actually referring to the internet DNS servers to which your forwarders point, in which case, use different servers. (Some ISPs do not keep their DNS patched. I still don't know if AT&T ever patched for the Kaminsky flaw - I got tired of waiting.) Level 3 DNS servers are everywhere, and are probably a good bet. Maybe Google's, if you like them. Many others.

    +
    0 Votes
    markp24

    Hi

    Seanfern is correct, definitly follow those instructions.

    +
    0 Votes
    philldmc

    The server is a Windows 2003 Small Business Server with Service Pack 2 with All Windows Updates applied. I'm using the DNS service within the SBS. The forwarders we are using belong to Time Warner.

    What utility can I use that would test to see if it is my DNS or the ISP?

    +
    0 Votes
    seanferd

    Cache poisoning weakness should be covered on the code side. Do you have TTLs set outside the expected range? I dunno, this is just wild guessing if the audit report doesn't specify at all.

    For sure, make certain that the DNS server cannot be accessed from the public internet. Otherwise, I don't know what the auditor's deal is.

    Oh! No way, I think I may know what is going on: Time Warner does redirects instead of responding NXDOMAIN unless you opt out of that RR search service. The audit may be detecting <i>that</i>, which really has nothing to do with your private network. I' have actually seen this happen.

    So, ask for a clarification - the immediate benefit may be that you can just cross one or both those items right off your list. RR/TW DNS servers have nothing to do with you. Not your problem. If the preceding speculation is correct, but they hem and haw at TW DNS, then switch to Level 3 DNS or something.

    +
    0 Votes
    philldmc

    The server is Windows 2003 Small Business Server that is utilizing Exchange so reality is that the outside public can reach our server.

  • +
    0 Votes
    seanferd

    "DNS Server Recursive Query Cache Poisoning Weakness"

    Update your DNS server to a current release or patchlevel which covers this.

    "DNS Server Cache Snooping Remote Information Disclosure"

    Don't allow anyone outside your network to access your DNS server at all. May require patches if this issue is due to an unpatched vulnerability.

    "Do not use recursive for this domain" and "Disable Recursive".

    The first would be domain-specific. If you only have one domain, then it is effectively (for the LAN) like the latter. The latter would leave your DNS server as authoritative nameserver only. You would probably not want to do either of these, as I imagine you have a recursive DNS server for a reason.

    Unless, of course, the auditor is actually referring to the internet DNS servers to which your forwarders point, in which case, use different servers. (Some ISPs do not keep their DNS patched. I still don't know if AT&T ever patched for the Kaminsky flaw - I got tired of waiting.) Level 3 DNS servers are everywhere, and are probably a good bet. Maybe Google's, if you like them. Many others.

    +
    0 Votes
    markp24

    Hi

    Seanfern is correct, definitly follow those instructions.

    +
    0 Votes
    philldmc

    The server is a Windows 2003 Small Business Server with Service Pack 2 with All Windows Updates applied. I'm using the DNS service within the SBS. The forwarders we are using belong to Time Warner.

    What utility can I use that would test to see if it is my DNS or the ISP?

    +
    0 Votes
    seanferd

    Cache poisoning weakness should be covered on the code side. Do you have TTLs set outside the expected range? I dunno, this is just wild guessing if the audit report doesn't specify at all.

    For sure, make certain that the DNS server cannot be accessed from the public internet. Otherwise, I don't know what the auditor's deal is.

    Oh! No way, I think I may know what is going on: Time Warner does redirects instead of responding NXDOMAIN unless you opt out of that RR search service. The audit may be detecting <i>that</i>, which really has nothing to do with your private network. I' have actually seen this happen.

    So, ask for a clarification - the immediate benefit may be that you can just cross one or both those items right off your list. RR/TW DNS servers have nothing to do with you. Not your problem. If the preceding speculation is correct, but they hem and haw at TW DNS, then switch to Level 3 DNS or something.

    +
    0 Votes
    philldmc

    The server is Windows 2003 Small Business Server that is utilizing Exchange so reality is that the outside public can reach our server.