Home page logo

basics logo Security Basics mailing list archives

Re: DNS recursion Windows 2003
From: "Jason Muskat, GCFA, GCUX, de VE3TSJ" <Jason () TechDude Ca>
Date: Mon, 26 Feb 2007 00:50:32 -0500


Windows DNS Server had an unusual option. "Perform secure lookups", or something akin to that. It should be enabled the default was disabled.


Jason Muskat  | GCFA, GCUX - de VE3TSJ
e. Jason () TechDude Ca
m. 416 .414 .9934


On 21-Feb-07, at 12:37 PM, jlehman () mailesignal com wrote:

From a 3rd party scan -

desc: This DNS server has query recursion enabled, allowing it to answer requests for DNS zones outside of your authority. This configuration may allow attackers to perform a cache poisoning attack on your server, corrupting then name-to-IP translation tables, potentially enabling man-in-the-middle attacks. remed: Check your DNS server documentation for instructions on either disabling recursion or limiting the hosts which may ask for recusrive queries. For example, in BIND 8, the 'allow-recursion' directive can be used for this purpose.

From what I have read, windows server 2003 DNS does have the ability to restrict recrsive lookups to a specific IP range, (my local network). It's either on or off, and off is not an option. Given that, what are the recommendations for a non-authoritative forwarder, Bind, tinynds etc?

This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse. Arm your enterprise with BigFix, the single converged IT security and operations engine. BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console. Think what's next. Think BigFix.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]