| VID |
19002 |
| Severity |
30 |
| Port |
53 |
| Protocol |
TCP,UDP |
| Class |
DNS |
| Detailed Description |
The DNS server has the Inverse Query (iquery) feature enabled. This feature supported on some DNS servers could allow an attacker to obtain a zone transfer. DNS zone transfers contain lists that identify every computer registered with the DNS server in the queried zone. This information could be useful to an attacker who may use it to gain information about the topology of your network and spot new targets in performing an attack.
Even if you have disabled zone transfers on your DNS server, the iquery feature will still allow the attacker to obtain information similar to a DNS zone transfer.
* References:
http://www.rfc-editor.org/rfc/rfc1035.txt
http://www.acmebw.com/resources/papers/securing.pdf
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_DNS_und_ReverseLookup.htm
http://www.ietf.org/proceedings/01dec/I-D/draft-ietf-dnsext-obsolete-iquery-01.txt
* Platforms Affected:
DNS Any version |
| Recommendation |
Configure your DNS server to disable Inverse Query feature. To disable this feature:
For UNIX/Linux BIND 8:
1. Edit named.conf file.
2. Comment out "fake-iquery" entry in the "options" block or modify it to "fake-iquery no;".
3. Save and exit the file.
4. Revoke 'named' daemon.
For UNIX/Linux BIND 4.9:
1. Edit named.boot file.
2. Comment out any "fake-iquery" entries on "options" lines.
3. Save and exit the file.
4. Revoke 'named' daemon.
For Microsoft Windows:
There is currently no known solution to this problem. |
| Related URL |
CVE-1999-0533 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
206 (ISS) |
|
