PCI scan detected TCP port 5432 (opened) on our Sophos Q9 fwall's ip

Threat:

The DNS server was found to allow DNS cache snooping. This means, any attacker could remotely check if a given domain name is cached on the DNS server.

This issue occurs when a target DNS server allows an untrusted client to make non-recursive DNS queries for domains that the target DNS server is not authoritative on. If the target DNS server consults its cache and replies with a valid answer (the IP address or "does not exist" NXDOMAIN reply), it is vulnerable to this attack. This tells the attacker that someone from the target network recently resolved that particular domain name.

QID Detection Logic (unauthenticated):
We make a DNS A query for testdeadenddummy.qualys.com from the target DNS server. The Recursive Query flag is set in this query. This means that the target DNS server will recursively search for the address of testdeadenddummy.qualys.com domain name and reply with an IP address to our scanner. If we do not get a reply we quit without posting a vuln.
- Next, we make the same DNS "A" query for the same domain-name name testdeadenddummy.qualys.com. However, this time we leave the "Recursive Query" flag unset. This means, we are requesting the target DNS server to check its cache or pre-defined DNS zone information for the IP address of the testdeadenddummy.qualys.com domain name. (If no information is present there, it should not find this information recursively from other DNS servers, and should simply reply with a non-found message). Since no other DNS server will have a zone for qualys.com, if we do get a reply, it has to be from the cache. If we do not get a response, we quit.
- If we do get a valid IP address in the reply, it means the DNS server consulted its cache and replied with the IP address of a site it recently cached. So an attacker can see what sites are cached in the DNS server by making non-recursive "A" requests for them.

Impact:

DNS caches are short lived and are generated by a recent DNS name-resolution event. By repeatedly monitoring DNS cache entries over a period of time, an attacker could gain a variety of information about the target network. For example, one could analyze Web-browsing habits of the users of a network. By querying for DNS MX record caches, one could check for email communication between two companies.

Information gathered from the DNS cache could lead to a variety of consequences ranging from an invasion of privacy to corporate espionage. The above mentioned paper presents a couple of attack scenarios where this vulnerability can be used.

Solution:

Here is a suggested solution for the Microsoft Windows DNS server. One rigorous solution involves what is known popularly as a "split DNS" configuration.

• The idea is to have two separate DNS servers, one for the DMZ/perimeter of the network that faces the public Internet, while the other is internal and not publically accessible.
• The external one has zone information about only the hosts in the DMZ region which need to be accessed from the Internet. It has no information about the internal hosts with non-routable addresses.
• The internal one has all the authoritative information about the internal hosts, and also static entries for the services in the DMZ region (so internal users can access those if required).
• Typically, the internal DNS server will be Active Directory integrated, with (secure) dynamic updates enabled.
• The external DNS server will typically be a standalone (not integrated with the Active Directory) server without any dynamic DNS updates enabled.
• To prevent the unrelated DNS cache-poisoning vulnerability, also configure the registry as explained in Microsoft Knowledge Base Article 241352 on both the DNS servers.
• Both the DNS servers can be named with identical domain names, such as example.com without any conflicts.
• The external DNS server should be set as a "forwarder" in the DNS settings of the internal DNS server. This means, for any DNS query (A/PTR) that the internal DNS server receives, that it is not able to resolve, it forwards it to the external DNS server for resolution.
• Through the "DNS" MMC snap-in, Recursion should be enabled on the external DNS server, and disabled in the internal one. This prevents the internal DNS server from attempting to resolve DNS queries if the external one fails to do so.
• To reinforce the last configuration, the internal DNS server should be set as a "slave" DNS server through the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" key's "IsSlave" value set to 1.
• Finally, to prevent cache snooping on the external DNS server, create a "MaxCacheTtl" DWORD entry with value set to 1 under the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" key of the external DNS server. This makes the TTL of any cached DNS entry on the external DNS server equal to 1 second, effectively disabling caching on it. Since for any query originating from the internal network, both the DNS servers cache the responses, performance is not affected at all even by disabling the external cache - repeated future DNS queries will be picked up by the internal DNS server and replied to from its cache.

This separates the external DNS proxy from the internal DNS cache, and prevents any DNS cache snooping from the public Internet.

For BIND and the understanding of the issue this URL will be helpful. http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf

Result:

Server's cache timeout for IPv4 addresses is more than 3 sec.
Server's cache timeout for IPv6 addresses is more than 3 sec.