Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 20623 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

cache snooping attacks

wingman
Hi All
My astaro DNS settings are the following

1)I am allowing internal network to use DNS
2)I am using openDNS to resolve and not the ISP ones
3)I have multiple static entries (in reverse) 
4)I am using dyndns

After using nessus to test my astaro box on the inside interface (IPS,port scan allowed), I got the following medium vunerability

The remote DNS server responds to queries for third-party domains
that do not have the recursion bit set. 

Explanation
================= 
Synopsis

The remote DNS server is vulnerable to cache snooping attacks.



Description

The remote DNS server responds to queries for third-party domains

that do not have the recursion bit set. 



This may allow a remote attacker to determine which domains have

recently been resolved via this name server, and therefore which hosts

have been recently visited. 



For instance, if an attacker was interested in whether your company

utilizes the online services of a particular financial institution,

they would be able to use this attack to build a statistical model

regarding company usage of that financial institution.  Of course, the

attack can also be used to find B2B partners, web-surfing patterns,

external mail servers, and more.



Note: If this is an internal DNS server not accessable to outside

networks, attacks would be limited to the internal network. This

may include employees, consultants and potentially users on

a guest network or WiFi connection if supported.



Solution

Use another DNS software.



See Also

For a much more detailed discussion of the potential risks of allowing

DNS cache information to be queried anonymously, please see:

www.rootsecure.net/.../dns_cache_snooping.pdf



Risk Factor

Medium



CVSS Base Score

 5.0 (CVSS2#AV:N/AC:L/Au:N/C[:P]/I:N/A:N)



Plugin Publication Date: 2004/04/27


How can someone resolve this?


This thread was automatically locked due to age.
  • 0
    What fun!  You keep asking questions that no one else thinks of!  I'm guessing a bit here, but I think this proves the DNS works like it's supposed to! [;)]  I'd feel better if Alan or Jack or one of the folks that really knows the answer would chime in though.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hello WingMan,
    Since your DNS service is not exposed to unauthorized users your problems are limited to your internal users only. The idea behind DNS recusion is that:

    - In a non recusrive DNS server scenario when a client asks for a DNS record and that record is not presented in the cache, it forwards the request to its prefered DNS server. If not presented in its cache then the DNS server returns back to the client the next DNS hop (forwarding DNS or root hints) in order for the client to perform subsequent interative queries. Note that for each hop, the DNS client perform each subsequent query.

    -In a recursive DNS server scenario the DNS client makes only one request to the DNS server. The DNS server is responsible for subsequent interative queries until final record is resolved and stored in DNS server's cache and then returned back to the client.

    The idea behind DNS snooping is that in a potential threating situation, an attacker could pollute the DNS  server's cache in order to alter its entries. In a case which DNS service is for internal use only, exposure is quite limited.
  • 0 in reply to lkar

    I came across the exact same issue on my latest PCI DSS 3.2 Internal Penetration Test (they used Nessus as do I). I use my Sophos UTM 9 as a DNS resolver for the small number of internal servers in scope. This is a Medium Severity vulnerability and I may be able to ignore those and still pass the test. Servers in the CDE (CDZ I call mine) really do not need recursion since they should not be connecting to external resources; however, DMZ servers do need access to external resources (Yumrepo and Freshclam for example). A simple fix for CDZ servers would be to disallow DNS for that interface but that unfortunately breaks DNS resolution for internal servers to find other internal servers. Hindsight is 20/20 and I may have been better off (for PCI) building a couple of internal DNS servers instead of using the Sophos. I also use the Sophos for NTP and DHCP so I have a lot of eggs in that basket. I'm not sure that there is an easy fix for this and I suppose it will be up to the QSA to determine if this will be OK since there is no access to DNS from outside (already passed the External Penetration Test with 0 vulnerabilities).

  • 0

    This is a bug and should be pursued with support.  A client can request Dns lookuos with or without recursion.  If yhe client does not have the authoritative answer, it should return s pointer about where to look next.  It should not recurse to find the answer.   Spparently UTM is doing recursion even when it is soecifically told not to do so.

  • 0 in reply to DouglasFoster

    What has changed in the behavior of "allow-recursion" and "allow-query-cache" gives you the modifications you can make to /var/chroot-bind/etc/named.conf, Doug.  After that: /var/mdw/scripts/named restart

    Kip, I would not use the UTM as a primary, internal DNS server except in a very, very small office.  That said, internal DNS servers could have the same exposure.

    Cheers - Bob

    NOTE: Edited substantially an hour later than the time stamp - I didn't realize that much time had passed!

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Nothing to do with config.  A dns server should answer the client question the way it is asked.   If the client says "do not recurse" then it should not recurse.  Seems like a basic issue of RFC and securtity compliance.

  • 0 in reply to BAlfson

    Thanks  I do consider my PCI scoped environment to be a very small office with only about 24 devices in all (sophos, 2 switches, splunk, and 2 KVM hosts with about 8 KVM guests each). Have not seen any issues with DNS, NTP, nor DHCP for this environment. Anything more and I definitely would stand up a couple of servers for DNS, 2 more for NTP, and just forget about DHCP. For PCI I am stretching the single function per server paradigm a bit though, but every additional machine is another attack surface and another machine requiring hardening.

    I have read the recommendations but really see nothing said about how small is very, very small. Makes me wonder why those services are even provided on the Sophos.

  • 0 in reply to Kipland Iles

    Guys, I just changed my post after having thought about it some more.

    Doug, how does a client ask for a response without recursion?  Or, do you mean one that's not cached?

    When you say "the recommendations," were you speaking of DNS best practice?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hey Bob. I was really talking about https://community.sophos.com/kb/en-us/120283 but that really applied to using UTM DNS in conjunction with AD DNS. I do manage one environment where we do have AD servers but I am really talking more about using UTM DNS as the only DNS server.

    I don't remember which specific article or post that I read that suggested that the UTM DNS server should not be used as the only one. I know the first priority for UTM is firewall and routing but I have been running it as my sole DNS server in my PCI scope for a couple of years now and never had any issues with the service. This was done mainly as a convenience for adding new machines to the environment when first setup. Since, by default, new linux virtual machines come up with DHCP it was really easy to just go in afterwards and make them static, thus reserving their IPs, and making them resolvable to the other machines. I don't want to debate using DHCP in a PCI environment as that is really not a best practice either but I have other controls (Nessus and Splunk) that insure nothing else sneaks in.

    I cant speak to what kind of DNS request was issued by my internal Pen Testers, though. They used Nessus but I don't know which scan policy they used. I did expect DNS to be recursive, though, so no surprise there.

  • 0

    Sorry for opening an old thread. Was this issue ever addressed? 

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?