> On Oct 14, 2:07 pm, James Yeomans BSc, MCSE
> <JamesYeomansBScM...[ at ]discussions.microsoft.com> wrote:
> > Hi Norm, I think the problem is that your server is effectively acting as a
> > public dns server because it is answering queries from internet based clients
> > outside your network. This is the fucntionality you want from your dns server
> > internally but not externally especially if you are being security
> > checked!!!! In the server properties on the dns server you need to disable
> > recursion so that all external queries other than for locally hosted records
> > are not answered. Hope that makes sense.
> > James.
> > --
> > James Yeomans, BSc, MCSE
> >
> > "Norm" wrote:
> > > Hello,
> > > I have an external DNS server that is authoritative for my customer's
> > > domains. One of my customers was told by their credit card company (or
> > > gateway or merchant, not sure which) that they needed to go through
> > > security testing as part of the new PCI security standard. A scan by a
> > > security company revealed some DNS issues. Below is the description of
> > > the problems regarding DNS:
> >
> > > #1 The remote DNS server is vulnerable to cache snooping attacks.
> > > Description : The
> > > remote DNS server responds to queries for third-party domains which do
> > > not have the
> > > recursion bit set. This may allow a remote attacker to determine which
> > > domains have recently
> > > been resolved via this name server, and therefore which hosts have
> > > been recently visited. For
> > > instance, if an attacker was interested in whether your company
> > > utilizes the online services of a
> > > particular financial institution, they would be able to use this
> > > attack to build a statistical model
> > > regarding company usage of that financial institution. Of course, the
> > > attack can also be used
> > > to find B2B partners, web-surfing patterns, external mail servers, and
> > > more...
> >
> > > #2 The remote name server allows recursive queries to be performed by
> > > the host
> > > running the test server. Description : It is possible to query the
> > > remote name server for third
> > > party names. If this is your internal nameserver, then forget this
> > > warning. If you are probing a
> > > remote nameserver, then it allows anyone to use it to resolve third
> > > parties names (such as
> > >www.securitymetrics.com). This allows hackers to do cache poisoning
> > > attacks against this
> > > nameserver. If the host allows these recursive queries via UDP, then
> > > the host can be used to
> > > 'bounce' Denial of Service attacks against another network or system.
> > > See also :
> > >
http://www.cert.org/advisories/CA-1997-22.htmlSolution: Restrict
> > > recursive queries to the
> > > hosts that should use this nameserver (such as those of the LAN
> > > connected to it).
> >
> > > I am not a DNS expert, but this seems to be a catch-22. In order to
> > > fix #1, I need to force recursion for third-party domains. #2 requires
> > > that I disable recursion. I have read up on snooping (which makes
> > > sense) and poisoning (which doesnt) and I ended up just confused. Can
> > > anyone at least point me in the right direction? Thanks in advance.
> >
> > > Norm
> >
> > > Note: The server is 2003 Standard dedicated solely to DNS.
>
> Thanks for your help James!
>
> There is one other thing that I am still slightly confused about. I
> have 2 public and 2 private DNS servers. The public is authoritative
> for the domains that we host, and the internal serves the workstations
> and web/DB servers.
>
> I would like the internal servers to query the public servers for
> requests that we are authoritative on while still allowing third-party
> domains to resolve. I am guessing that I add the public servers to the
> list of forwarders on the internal servers in front of our upstream
> dns servers. Will this work if the public servers have recursion
> disabled?
>