Home page logo

basics logo Security Basics mailing list archives

Re: DNS recursion Windows 2003
From: MaddHatter <maddhatt+securitybasics () cat pdx edu>
Date: Thu, 22 Feb 2007 15:58:11 -0800

jlehman () mailesignal com said (on 2007/02/21):
From a 3rd party scan -

desc:           This DNS server has query recursion enabled...

From what I have read, windows server 2003 DNS does have the ability to restrict recrsive lookups to a specific IP 
range, (my local network). It's either on or off, and off is not an option. Given that, what are the recommendations 
for a non-authoritative forwarder, Bind, tinynds etc?

Properly configured, BIND >=9 and Windows are both about as secure
against poisoning attacks as anyone can make a DNS server (short of using
DNSSec... the official DNS protocol of the Easter Bunny and the Tooth
Fairy). Poisoning the cache would require correctly guessing a port (not
hard) and the correct 16-bit id (random, so kinda hard) before the real
server responds (whose response could be stopped/slowed by a DoS attack).

What you can do with BIND is define an "intranet" view and an "internet"
view. (The views are defined in terms of the requestor's source IP
address.) By not allowing recursion in the internet view, you're safe from
external cache poisoning attacks. A successful internal cache poisoning
attack would have to get through the limitations I mentioned above.

In Windows, you don't get views, but you can have two separate DNS
servers protected by different firewall rules to achieve a similar
effect. The external DNS server only answers queries for its own zones
(i.e. recursion disabled). The internal DNS server does recursion
(enable the "secure cache against pollution" option described in
http://support.microsoft.com/kb/316786) but is not accessible from the
outside, so again, the cache poisoning attack would have to come from
within and is subject to limitations similar to what I described above.

I don't know Tinydns, but Djbdns randomizes the port and the ID, so it's
that much harder to guess the right values to poison the cache.

Shameless plug: If only the whole world abided by BCP 38
(http://www.armware.dk/RFC/bcp/bcp38.html) none of this would even be an
issue since people couldn't spoof packets from others' networks. *sigh*

This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse.  Arm your 
enterprise with BigFix, the single converged IT security and operations 
engine. BigFix enables continuous discovery, assessment, remediation, 
and enforcement for complex and distributed IT environments in real-time 
from a single console.
Think what's next. Think BigFix. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]