Re: DNS recursion Windows 2003

["Jason Muskat, GCFA, GCUX, de VE3TSJ" <Jason () TechDude Ca>]

Hello,

Windows DNS Server had an unusual option. "Perform secure lookups",  
or something akin to that. It should be enabled the default was  
disabled.


Regards,

--
Jason Muskat  | GCFA, GCUX - de VE3TSJ
____________________________
TechDude
e. Jason () TechDude Ca
m. 416 .414 .9934

http://TechDude.Ca/


On 21-Feb-07, at 12:37 PM, jlehman () mailesignal com wrote:

> > From a 3rd party scan -
>
> desc:  	 This DNS server has query recursion enabled, allowing it  
> to answer requests for DNS zones outside of your authority. This  
> configuration may allow attackers to perform a cache poisoning  
> attack on your server, corrupting then name-to-IP translation  
> tables, potentially enabling man-in-the-middle attacks.
> remed: 	Check your DNS server documentation for instructions on  
> either disabling recursion or limiting the hosts which may ask for  
> recusrive queries. For example, in BIND 8, the 'allow-recursion'  
> directive can be used for this purpose.
>
>
> > From what I have read, windows server 2003 DNS does have the  
> > ability to restrict recrsive lookups to a specific IP range, (my  
> > local network). It's either on or off, and off is not an option.  
> > Given that, what are the recommendations for a non-authoritative  
> > forwarder, Bind, tinynds etc?


---------------------------------------------------------------------------
This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse.  Arm your 
enterprise with BigFix, the single converged IT security and operations 
engine. BigFix enables continuous discovery, assessment, remediation, 
and enforcement for complex and distributed IT environments in real-time 
from a single console.
Think what's next. Think BigFix. 

http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------