Security Basics mailing list archives
Re: DNS recursion Windows 2003
From: MaddHatter <maddhatt+securitybasics () cat pdx edu>
Date: Thu, 22 Feb 2007 15:58:11 -0800
jlehman () mailesignal com said (on 2007/02/21):
From a 3rd party scan - desc: This DNS server has query recursion enabled... From what I have read, windows server 2003 DNS does have the ability to restrict recrsive lookups to a specific IP range, (my local network). It's either on or off, and off is not an option. Given that, what are the recommendations for a non-authoritative forwarder, Bind, tinynds etc?
Properly configured, BIND >=9 and Windows are both about as secure against poisoning attacks as anyone can make a DNS server (short of using DNSSec... the official DNS protocol of the Easter Bunny and the Tooth Fairy). Poisoning the cache would require correctly guessing a port (not hard) and the correct 16-bit id (random, so kinda hard) before the real server responds (whose response could be stopped/slowed by a DoS attack). What you can do with BIND is define an "intranet" view and an "internet" view. (The views are defined in terms of the requestor's source IP address.) By not allowing recursion in the internet view, you're safe from external cache poisoning attacks. A successful internal cache poisoning attack would have to get through the limitations I mentioned above. In Windows, you don't get views, but you can have two separate DNS servers protected by different firewall rules to achieve a similar effect. The external DNS server only answers queries for its own zones (i.e. recursion disabled). The internal DNS server does recursion (enable the "secure cache against pollution" option described in http://support.microsoft.com/kb/316786) but is not accessible from the outside, so again, the cache poisoning attack would have to come from within and is subject to limitations similar to what I described above. I don't know Tinydns, but Djbdns randomizes the port and the ID, so it's that much harder to guess the right values to poison the cache. Shameless plug: If only the whole world abided by BCP 38 (http://www.armware.dk/RFC/bcp/bcp38.html) none of this would even be an issue since people couldn't spoof packets from others' networks. *sigh* --------------------------------------------------------------------------- This list is sponsored by: BigFix If your IT fails, you're out of business - or worse. Arm your enterprise with BigFix, the single converged IT security and operations engine. BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console. Think what's next. Think BigFix. http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/ ---------------------------------------------------------------------------
Current thread:
- DNS recursion Windows 2003 jlehman (Feb 21)
- Re: DNS recursion Windows 2003 MaddHatter (Feb 23)
- Re: DNS recursion Windows 2003 Shreyas Zare (Feb 26)
- Re: DNS recursion Windows 2003 Jason Muskat, GCFA, GCUX, de VE3TSJ (Feb 26)