Microsoft DNS configuration

Norm · 14-10-2008

Hello,
I have an external DNS server that is authoritative for my customer's
domains. One of my customers was told by their credit card company (or
gateway or merchant, not sure which) that they needed to go through
security testing as part of the new PCI security standard. A scan by a
security company revealed some DNS issues. Below is the description of
the problems regarding DNS:

#1 The remote DNS server is vulnerable to cache snooping attacks.
Description : The
remote DNS server responds to queries for third-party domains which do
not have the
recursion bit set. This may allow a remote attacker to determine which
domains have recently
been resolved via this name server, and therefore which hosts have
been recently visited. For
instance, if an attacker was interested in whether your company
utilizes the online services of a
particular financial institution, they would be able to use this
attack to build a statistical model
regarding company usage of that financial institution. Of course, the
attack can also be used
to find B2B partners, web-surfing patterns, external mail servers, and
more...

#2 The remote name server allows recursive queries to be performed by
the host
running the test server. Description : It is possible to query the
remote name server for third
party names. If this is your internal nameserver, then forget this
warning. If you are probing a
remote nameserver, then it allows anyone to use it to resolve third
parties names (such as
www.securitymetrics.com). This allows hackers to do cache poisoning
attacks against this
nameserver. If the host allows these recursive queries via UDP, then
the host can be used to
'bounce' Denial of Service attacks against another network or system.
See also :
http://www.cert.org/advisories/CA-1997-22.html Solution: Restrict
recursive queries to the
hosts that should use this nameserver (such as those of the LAN
connected to it).

I am not a DNS expert, but this seems to be a catch-22. In order to
fix #1, I need to force recursion for third-party domains. #2 requires
that I disable recursion. I have read up on snooping (which makes
sense) and poisoning (which doesnt) and I ended up just confused. Can
anyone at least point me in the right direction? Thanks in advance.

Norm

Note: The server is 2003 Standard dedicated solely to DNS.

James Yeomans BSc, MCSE · 15-10-2008

Hi Norm, I think the problem is that your server is effectively acting as a
public dns server because it is answering queries from internet based clients
outside your network. This is the fucntionality you want from your dns server
internally but not externally especially if you are being security
checked!!!! In the server properties on the dns server you need to disable
recursion so that all external queries other than for locally hosted records
are not answered. Hope that makes sense.
James.
--
James Yeomans, BSc, MCSE

"Norm" wrote:

> Hello,
> I have an external DNS server that is authoritative for my customer's
> domains. One of my customers was told by their credit card company (or
> gateway or merchant, not sure which) that they needed to go through
> security testing as part of the new PCI security standard. A scan by a
> security company revealed some DNS issues. Below is the description of
> the problems regarding DNS:
>
> #1 The remote DNS server is vulnerable to cache snooping attacks.
> Description : The
> remote DNS server responds to queries for third-party domains which do
> not have the
> recursion bit set. This may allow a remote attacker to determine which
> domains have recently
> been resolved via this name server, and therefore which hosts have
> been recently visited. For
> instance, if an attacker was interested in whether your company
> utilizes the online services of a
> particular financial institution, they would be able to use this
> attack to build a statistical model
> regarding company usage of that financial institution. Of course, the
> attack can also be used
> to find B2B partners, web-surfing patterns, external mail servers, and
> more...
>
> #2 The remote name server allows recursive queries to be performed by
> the host
> running the test server. Description : It is possible to query the
> remote name server for third
> party names. If this is your internal nameserver, then forget this
> warning. If you are probing a
> remote nameserver, then it allows anyone to use it to resolve third
> parties names (such as
> www.securitymetrics.com). This allows hackers to do cache poisoning
> attacks against this
> nameserver. If the host allows these recursive queries via UDP, then
> the host can be used to
> 'bounce' Denial of Service attacks against another network or system.
> See also :
> http://www.cert.org/advisories/CA-1997-22.html Solution: Restrict
> recursive queries to the
> hosts that should use this nameserver (such as those of the LAN
> connected to it).
>
> I am not a DNS expert, but this seems to be a catch-22. In order to
> fix #1, I need to force recursion for third-party domains. #2 requires
> that I disable recursion. I have read up on snooping (which makes
> sense) and poisoning (which doesnt) and I ended up just confused. Can
> anyone at least point me in the right direction? Thanks in advance.
>
> Norm
>
> Note: The server is 2003 Standard dedicated solely to DNS.
>

Norm · 16-10-2008

On Oct 14, 2:07 pm, James Yeomans BSc, MCSE
<JamesYeomansBScM...@discussions.microsoft.com> wrote:
> Hi Norm, I think the problem is that your server is effectively acting asa
> public dns server because it is answering queries from internet based clients
> outside your network. This is the fucntionality you want from your dns server
> internally but not externally especially if you are being security
> checked!!!! In the server properties on the dns server you need to disable
> recursion so that all external queries other than for locally hosted records
> are not answered. Hope that makes sense.
> James.
> --
> James Yeomans, BSc, MCSE
>
> "Norm" wrote:
> > Hello,
> > I have an external DNS server that is authoritative for my customer's
> > domains. One of my customers was told by their credit card company (or
> > gateway or merchant, not sure which) that they needed to go through
> > security testing as part of the new PCI security standard. A scan by a
> > security company revealed some DNS issues. Below is the description of
> > the problems regarding DNS:
>
> > #1 The remote DNS server is vulnerable to cache snooping attacks.
> > Description : The
> > remote DNS server responds to queries for third-party domains which do
> > not have the
> > recursion bit set. This may allow a remote attacker to determine which
> > domains have recently
> > been resolved via this name server, and therefore which hosts have
> > been recently visited. For
> > instance, if an attacker was interested in whether your company
> > utilizes the online services of a
> > particular financial institution, they would be able to use this
> > attack to build a statistical model
> > regarding company usage of that financial institution. Of course, the
> > attack can also be used
> > to find B2B partners, web-surfing patterns, external mail servers, and
> > more...
>
> > #2 The remote name server allows recursive queries to be performed by
> > the host
> > running the test server. Description : It is possible to query the
> > remote name server for third
> > party names. If this is your internal nameserver, then forget this
> > warning. If you are probing a
> > remote nameserver, then it allows anyone to use it to resolve third
> > parties names (such as
> >www.securitymetrics.com). This allows hackers to do cache poisoning
> > attacks against this
> > nameserver. If the host allows these recursive queries via UDP, then
> > the host can be used to
> > 'bounce' Denial of Service attacks against another network or system.
> > See also :
> >http://www.cert.org/advisories/CA-1997-22.htmlSolution: Restrict
> > recursive queries to the
> > hosts that should use this nameserver (such as those of the LAN
> > connected to it).
>
> > I am not a DNS expert, but this seems to be a catch-22. In order to
> > fix #1, I need to force recursion for third-party domains. #2 requires
> > that I disable recursion. I have read up on snooping (which makes
> > sense) and poisoning (which doesnt) and I ended up just confused. Can
> > anyone at least point me in the right direction? Thanks in advance.
>
> > Norm
>
> > Note: The server is 2003 Standard dedicated solely to DNS.

Thanks for your help James!

There is one other thing that I am still slightly confused about. I
have 2 public and 2 private DNS servers. The public is authoritative
for the domains that we host, and the internal serves the workstations
and web/DB servers.

I would like the internal servers to query the public servers for
requests that we are authoritative on while still allowing third-party
domains to resolve. I am guessing that I add the public servers to the
list of forwarders on the internal servers in front of our upstream
dns servers. Will this work if the public servers have recursion
disabled?

James Yeomans BSc, MCSE · 16-10-2008

With windows server 2003 you can use conditional forwarding that allows you
to forward requests for specific domains to specific servers that you
specify. This is done on the properties tab of the server. This does not
require recursion on your public server as it will be answering the queries
itself. Your other option is to create a stub zone on your private server
that contains the name server records for a specific domain and will
therrefore forward requests for that domain to the name servers it lists. The
following link should explain stub zones a bit better:
http://www.justaskjames.co.uk/default.asp?link=108
--
James Yeomans, BSc, MCSE

"Norm" wrote:

> On Oct 14, 2:07 pm, James Yeomans BSc, MCSE
> <JamesYeomansBScM...@discussions.microsoft.com> wrote:
> > Hi Norm, I think the problem is that your server is effectively acting as a
> > public dns server because it is answering queries from internet based clients
> > outside your network. This is the fucntionality you want from your dns server
> > internally but not externally especially if you are being security
> > checked!!!! In the server properties on the dns server you need to disable
> > recursion so that all external queries other than for locally hosted records
> > are not answered. Hope that makes sense.
> > James.
> > --
> > James Yeomans, BSc, MCSE
> >
> > "Norm" wrote:
> > > Hello,
> > > I have an external DNS server that is authoritative for my customer's
> > > domains. One of my customers was told by their credit card company (or
> > > gateway or merchant, not sure which) that they needed to go through
> > > security testing as part of the new PCI security standard. A scan by a
> > > security company revealed some DNS issues. Below is the description of
> > > the problems regarding DNS:
> >
> > > #1 The remote DNS server is vulnerable to cache snooping attacks.
> > > Description : The
> > > remote DNS server responds to queries for third-party domains which do
> > > not have the
> > > recursion bit set. This may allow a remote attacker to determine which
> > > domains have recently
> > > been resolved via this name server, and therefore which hosts have
> > > been recently visited. For
> > > instance, if an attacker was interested in whether your company
> > > utilizes the online services of a
> > > particular financial institution, they would be able to use this
> > > attack to build a statistical model
> > > regarding company usage of that financial institution. Of course, the
> > > attack can also be used
> > > to find B2B partners, web-surfing patterns, external mail servers, and
> > > more...
> >
> > > #2 The remote name server allows recursive queries to be performed by
> > > the host
> > > running the test server. Description : It is possible to query the
> > > remote name server for third
> > > party names. If this is your internal nameserver, then forget this
> > > warning. If you are probing a
> > > remote nameserver, then it allows anyone to use it to resolve third
> > > parties names (such as
> > >www.securitymetrics.com). This allows hackers to do cache poisoning
> > > attacks against this
> > > nameserver. If the host allows these recursive queries via UDP, then
> > > the host can be used to
> > > 'bounce' Denial of Service attacks against another network or system.
> > > See also :
> > >http://www.cert.org/advisories/CA-1997-22.htmlSolution: Restrict
> > > recursive queries to the
> > > hosts that should use this nameserver (such as those of the LAN
> > > connected to it).
> >
> > > I am not a DNS expert, but this seems to be a catch-22. In order to
> > > fix #1, I need to force recursion for third-party domains. #2 requires
> > > that I disable recursion. I have read up on snooping (which makes
> > > sense) and poisoning (which doesnt) and I ended up just confused. Can
> > > anyone at least point me in the right direction? Thanks in advance.
> >
> > > Norm
> >
> > > Note: The server is 2003 Standard dedicated solely to DNS.
>
> Thanks for your help James!
>
> There is one other thing that I am still slightly confused about. I
> have 2 public and 2 private DNS servers. The public is authoritative
> for the domains that we host, and the internal serves the workstations
> and web/DB servers.
>
> I would like the internal servers to query the public servers for
> requests that we are authoritative on while still allowing third-party
> domains to resolve. I am guessing that I add the public servers to the
> list of forwarders on the internal servers in front of our upstream
> dns servers. Will this work if the public servers have recursion
> disabled?
>