| VID |
19003 |
| Severity |
30 |
| Port |
53 |
| Protocol |
TCP,UDP |
| Class |
DNS |
| Detailed Description |
The DNS server allows recursive queries to be performed by any hosts. By having modified DNS records with a false authoritative record from DNS database in the relevant host, an attacker can attempt a DNS cache poisoning attack. The attacker lets your domain name server do recursive query to his malicious name server with the false record. And then your domain name server may accept and cache the false record that's included in the answer.
It could allow the attacker to redirect a specific web site to a malicious web site, or also spoof an MX record to direct e-mails of your domain mail server to his mail server.
* Note: If the DNS server is your internal name server, then ignore this alert.
* References:
http://www.sans.org/rr/firewall/DNS_spoof.php
http://www.acmebw.com/resources/papers/securing.pdf
http://www.cert.org/advisories/CA-1997-22.html |
| Recommendation |
Restrict recursive queries to hosts that have to use the relevant name server (such as those of the LAN connected to it).
For UNIX or Linux systems:
If you use bind version 8, you can use 'allow-recursive' command on the 'options' section in named.conf file. If bind version 9, you can use 'allow-recursion' command.
You should restrict some of the information that is served from the DNS server to outside clients so that it cannot be used to retrieve valuable information from your organization that you do not want to give away. This includes adding the following options: allow-transfer, allow-query, allow-recursive (or allow-recursion) and version. You can either limit this on the global section (so it applies to all the zones served) or on a per-zone basis.
For example, Imagine that your server is connected to the Internet and to your internal (your internal IP is 192.168.1.2) network (a basic multi-homed server), you do not want to give any service to the Internet and you just want to enable DNS lookups from your internal hosts. You could restrict it by including in /etc/named.conf:
options {
allow-query { 192.168.1/24; } ;
allow-transfer { none; } ;
allow-recursive { 192.168.1/24; } ;
listen-on { 192.168.1.2; } ;
forward { only; } ;
forwarders { A.B.C.D; } ;
};
For Microsoft Windows:
1. Open Registry Editor. (From the Windows system Start menu, select Run, type regedit or regedt32, and click OK.)
2. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters registry key.
3 On the Edit menu, Add Value name NoRecursion, as a type REG_DWORD.
4. In the DWORD Editor, set the data value to 1 (TRUE, recursion disabled).
5. Shutdown and restart the DNS server.
For details, See also http://www.acmebw.com/resources/papers/securing.pdf |
| Related URL |
CVE-1999-002 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
