Win2K DNS

From: Michael van Zwieten (MvanZwieten@flcities.com)
Date: 07/26/01

• Previous message: Ivan: "winMap vs nmapNT"
• Next in thread: Rajeev Kumar: "Re: Win2K DNS"
• Reply: Rajeev Kumar: "Re: Win2K DNS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <E980BE8C8980D111AA7200A0C99843A70154C837@PHOENIX>
From: Michael van Zwieten <MvanZwieten@flcities.com>
To: "'focus-ms@securityfocus.com '" <focus-ms@securityfocus.com>
Subject: Win2K DNS
Date: Wed, 25 Jul 2001 21:25:50 -0400

Hi everyone,

This one has me stumped... I've got 2 external 'public' primary & secondary
DNS servers running on Win2K SP2, using MS DNS Server... They are not in a
domain, nor are they using AD. They're completely stand-alone... I've used
the tool on www.vulnerabilities.org to run a scan on my servers to ensure
everything looked good, but this scan keeps coming back with this "serious
warning"... (see issue below). I checked the option to 'Secure cache
against pollution' (possibly meaning cache poisoning?) If I check the
'disallow recursion' option, the DNS servers won't even resolve any
longer... Does anyone know if this is a serious enough issue, and what
would I need to do to resolve this?

Thanks!
Mike

-----------------------------------
Warning found on port domain (53/tcp)

The remote name server allows recursive queries to be performed
by the host running nessusd.

If this is your internal nameserver, then forget this warning.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.

Solution : Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf

If you are using another name server, consult its documentation.

Risk factor : Serious

---

• Previous message: Ivan: "winMap vs nmapNT"
• Next in thread: Rajeev Kumar: "Re: Win2K DNS"
• Reply: Rajeev Kumar: "Re: Win2K DNS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Need help with DNS design and settings ... about forest root and tree root domains. ... The name servers box is usually populated automatically (at least I ... thought so) with the DNS servers you have the AD integrated zones on. ... > forwarders for internet queries, I put the address of my 2 external DNS ... (microsoft.public.win2000.dns) Re: Need help with DNS design and settings ... we often point all servers at the ... provided all DNS servers have a consistent copy of the zone. ... Name server box is only the servers authoritative for that zone. ... >>> forwarders for internet queries, I put the address of my 2 external DNS ... (microsoft.public.win2000.dns) Re: How to host email using Exchange 2003 ... > You Own SMTP Mail using Exchange 2000" and think the instructions will ... So their DNS your company is using is Internet "facing". ... record specific Emails servers. ... The ISP DNS servers will do the job of sending Internet mails out. ... (microsoft.public.exchange.setup) Re: Logon problems after beginning AD migration ... The NT domain controllers are pointing to the same WINS and DNS servers as ... information and these are all Win9X machines and the AD client extensions ... > to transfer the FSMO roles to the BDC so I could demote and reload it. ... (microsoft.public.win2000.active_directory) Re: Unable to access dowload from Microsoft ... > I have 2 DNS Servers running and both have the same issue trying to ... Microsoft Windows MVP - Windows Server - Directory Services ... (microsoft.public.windows.server.dns)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2001-07