Re: Win2K DNS
From: Rajeev Kumar (rajeev@rajeevnet.com)Date: 07/26/01
- Previous message: Pierre A. Cadieux: "Re: NT/IIS Security basics"
- In reply to: Michael van Zwieten: "Win2K DNS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B60594D.F5AA657@rajeevnet.com> Date: Thu, 26 Jul 2001 13:54:21 -0400 From: Rajeev Kumar <rajeev@rajeevnet.com> To: Michael van Zwieten <MvanZwieten@flcities.com> Subject: Re: Win2K DNS
The way DNS works is like that:
-> You send query to your DNS server. If DNS servers knows the answer
(i.e it is serving those domains) DNS server can answer that.
-> If DNS server doesn't know the answer and is set for recursive query
it can forward your request to next DNS server(defined as forwarding
host)
and next DNS server will try to answer or forward(recursive) query
to next forwarder and so on.
-> When your DNS server finally gets the answer it will cache the entry
(I guess for whole domain). i.e suppose you try to resolve
www.microsoft.com
and when resolved your DNS server will cache all hosts entries for
microsoft.com DNS domain, so that next time you ask
someotherhost.microsoft.com it won't do the whole process again rather
answer from local cache (This is NON-AUTHORTATIVE answer you find from
nslookup query).
-> In this recursion process all intermittent DNS forwarders also cache
DNS maps for microsoft.com (to the max time upto TTL value defined in
DNS maps usually 1 day).
This all will help DNS load balancing across internet.
So far so good...
Let's see your case now:
-> You need to allow recursion ofcourse so that you can resolve names
other than your site. But you need to allow recursion only queries
received from trusted hosts. i,e from your trusted networks (means your
site and other offsite offices you trust.)
-> You need to allow query from anybody who is trying to resolve your
domain names hosts. So whatever domain you server to the world that
should be open for query to whole world.
What you don't allow is query(or recursion) from some un-trusted hosts
to resolve any hosts other than your DNS domains. For example suppose
you serve DNS for mydomain.com , then
Any trusted host "trusted.mydomain.com" should be allowed to do query
or recursion to resolve any other hostname on internet.
Any untrusted host "untrusted.OTHERdomain.com" should be allowed to do
query/recursion *ONLY* to resolve mydomain.com hosts.
Any untrusted host "untrusted.OTHERdomain.com" should *NOT* be allowed
to resolve (query/recursion) third party hosts (ex:
www.microsoft.com,www.cnn.com) using your DNS server.
This last point is important because if you do not have that setup
anybody can point to your DNS server and resolve hosts thus your DNS
server will be doing CHARITY work for them.
Worst is people may poision your DNS server cache. I am not going into
much details here. But if you follow above in every recursion you
actally cache DNS maps whenever you do query on behalf of other DNS
server(client), thus remote DNS server with wrong entries can can force
your server to cache whatever they please.
I don't use MS DNS server but you should be considering denying query
from any unknown hosts if they are trying to resolve hostnames other
than your DNS domain hosts.
I hope this helps.
Those using BIND can actaully create acl list file, include that in your
/etc/named.conf and the add lines like below to allow query only from
trusted hosts (networks) defined in acls.
=============================================================================================
// Read in ACLS, this contains networks and defined acl name 'trusted'
in this file. (See DNS docs).
include "<PATHNAME>/acls.db";
//This is global section/.
allow-query {
trusted;
};
//Suppose you maintain mydomain.com
zone "mydomain.com" {
type master;
file "mydomain.db";
// Here allow query from anybody, only for domain mydomain.com
allow-query {
any;
};
};
Can somebody translate this in MS DNS terms also if possible.
Rajeev
Michael van Zwieten wrote:
>
> Hi everyone,
>
> This one has me stumped... I've got 2 external 'public' primary & secondary
> DNS servers running on Win2K SP2, using MS DNS Server... They are not in a
> domain, nor are they using AD. They're completely stand-alone... I've used
> the tool on www.vulnerabilities.org to run a scan on my servers to ensure
> everything looked good, but this scan keeps coming back with this "serious
> warning"... (see issue below). I checked the option to 'Secure cache
> against pollution' (possibly meaning cache poisoning?) If I check the
> 'disallow recursion' option, the DNS servers won't even resolve any
> longer... Does anyone know if this is a serious enough issue, and what
> would I need to do to resolve this?
>
> Thanks!
> Mike
>
> -----------------------------------
> Warning found on port domain (53/tcp)
>
> The remote name server allows recursive queries to be performed
> by the host running nessusd.
>
> If this is your internal nameserver, then forget this warning.
>
> If you are probing a remote nameserver, then it allows anyone
> to use it to resolve third parties names (such as www.nessus.org).
> This allows hackers to do cache poisoning attacks against this
> nameserver.
>
> Solution : Restrict recursive queries to the hosts that should
> use this nameserver (such as those of the LAN connected to it).
> If you are using bind 8, you can do this by using the instruction
> 'allow-recursion' in the 'options' section of your named.conf
>
> If you are using another name server, consult its documentation.
>
> Risk factor : Serious
-- ******************************************************************** Rajeev Kumar (rajeev@rajeevnet.com) http://www.rajeevnet.com ******************************************************************** -- PGP PUBLIC KEY -- http://www.rajeevnet.com/crypto/mypubkey
- Previous message: Pierre A. Cadieux: "Re: NT/IIS Security basics"
- In reply to: Michael van Zwieten: "Win2K DNS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
