Hello,
I have an external DNS server that is authoritative for my customer's
domains. One of my customers was told by their credit card company (or
gateway or merchant, not sure which) that they needed to go through
security testing as part of the new PCI security standard. A scan by a
security company revealed some DNS issues. Below is the description of
the problems regarding DNS:
#1 The remote DNS server is vulnerable to cache snooping attacks.
Description : The
remote DNS server responds to queries for third-party domains which do
not have the
recursion bit set. This may allow a remote attacker to determine which
domains have recently
been resolved via this name server, and therefore which hosts have
been recently visited. For
instance, if an attacker was interested in whether your company
utilizes the online services of a
particular financial institution, they would be able to use this
attack to build a statistical model
regarding company usage of that financial institution. Of course, the
attack can also be used
to find B2B partners, web-surfing patterns, external mail servers, and
more...
#2 The remote name server allows recursive queries to be performed by
the host
running the test server. Description : It is possible to query the
remote name server for third
party names. If this is your internal nameserver, then forget this
warning. If you are probing a
remote nameserver, then it allows anyone to use it to resolve third
parties names (such as
www.securitymetrics.com). This allows hackers to do cache poisoning
attacks against this
nameserver. If the host allows these recursive queries via UDP, then
the host can be used to
'bounce' Denial of Service attacks against another network or system.
See also :
http://www.cert.org/advisories/CA-1997-22.html Solution: Restrict
recursive queries to the
hosts that should use this nameserver (such as those of the LAN
connected to it).
I am not a DNS expert, but this seems to be a catch-22. In order to
fix #1, I need to force recursion for third-party domains. #2 requires
that I disable recursion. I have read up on snooping (which makes
sense) and poisoning (which doesnt) and I ended up just confused. Can
anyone at least point me in the right direction? Thanks in advance.
Norm
Note: The server is 2003 Standard dedicated solely to DNS.
Bookmarks