Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 20630 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

cache snooping attacks

wingman
Hi All
My astaro DNS settings are the following

1)I am allowing internal network to use DNS
2)I am using openDNS to resolve and not the ISP ones
3)I have multiple static entries (in reverse) 
4)I am using dyndns

After using nessus to test my astaro box on the inside interface (IPS,port scan allowed), I got the following medium vunerability

The remote DNS server responds to queries for third-party domains
that do not have the recursion bit set. 

Explanation
================= 
Synopsis

The remote DNS server is vulnerable to cache snooping attacks.



Description

The remote DNS server responds to queries for third-party domains

that do not have the recursion bit set. 



This may allow a remote attacker to determine which domains have

recently been resolved via this name server, and therefore which hosts

have been recently visited. 



For instance, if an attacker was interested in whether your company

utilizes the online services of a particular financial institution,

they would be able to use this attack to build a statistical model

regarding company usage of that financial institution.  Of course, the

attack can also be used to find B2B partners, web-surfing patterns,

external mail servers, and more.



Note: If this is an internal DNS server not accessable to outside

networks, attacks would be limited to the internal network. This

may include employees, consultants and potentially users on

a guest network or WiFi connection if supported.



Solution

Use another DNS software.



See Also

For a much more detailed discussion of the potential risks of allowing

DNS cache information to be queried anonymously, please see:

www.rootsecure.net/.../dns_cache_snooping.pdf



Risk Factor

Medium



CVSS Base Score

 5.0 (CVSS2#AV:N/AC:L/Au:N/C[:P]/I:N/A:N)



Plugin Publication Date: 2004/04/27


How can someone resolve this?


This thread was automatically locked due to age.
Parents
  • 0
    Hello WingMan,
    Since your DNS service is not exposed to unauthorized users your problems are limited to your internal users only. The idea behind DNS recusion is that:

    - In a non recusrive DNS server scenario when a client asks for a DNS record and that record is not presented in the cache, it forwards the request to its prefered DNS server. If not presented in its cache then the DNS server returns back to the client the next DNS hop (forwarding DNS or root hints) in order for the client to perform subsequent interative queries. Note that for each hop, the DNS client perform each subsequent query.

    -In a recursive DNS server scenario the DNS client makes only one request to the DNS server. The DNS server is responsible for subsequent interative queries until final record is resolved and stored in DNS server's cache and then returned back to the client.

    The idea behind DNS snooping is that in a potential threating situation, an attacker could pollute the DNS  server's cache in order to alter its entries. In a case which DNS service is for internal use only, exposure is quite limited.
  • 0 in reply to lkar

    I came across the exact same issue on my latest PCI DSS 3.2 Internal Penetration Test (they used Nessus as do I). I use my Sophos UTM 9 as a DNS resolver for the small number of internal servers in scope. This is a Medium Severity vulnerability and I may be able to ignore those and still pass the test. Servers in the CDE (CDZ I call mine) really do not need recursion since they should not be connecting to external resources; however, DMZ servers do need access to external resources (Yumrepo and Freshclam for example). A simple fix for CDZ servers would be to disallow DNS for that interface but that unfortunately breaks DNS resolution for internal servers to find other internal servers. Hindsight is 20/20 and I may have been better off (for PCI) building a couple of internal DNS servers instead of using the Sophos. I also use the Sophos for NTP and DHCP so I have a lot of eggs in that basket. I'm not sure that there is an easy fix for this and I suppose it will be up to the QSA to determine if this will be OK since there is no access to DNS from outside (already passed the External Penetration Test with 0 vulnerabilities).

Reply
  • 0 in reply to lkar

    I came across the exact same issue on my latest PCI DSS 3.2 Internal Penetration Test (they used Nessus as do I). I use my Sophos UTM 9 as a DNS resolver for the small number of internal servers in scope. This is a Medium Severity vulnerability and I may be able to ignore those and still pass the test. Servers in the CDE (CDZ I call mine) really do not need recursion since they should not be connecting to external resources; however, DMZ servers do need access to external resources (Yumrepo and Freshclam for example). A simple fix for CDZ servers would be to disallow DNS for that interface but that unfortunately breaks DNS resolution for internal servers to find other internal servers. Hindsight is 20/20 and I may have been better off (for PCI) building a couple of internal DNS servers instead of using the Sophos. I also use the Sophos for NTP and DHCP so I have a lot of eggs in that basket. I'm not sure that there is an easy fix for this and I suppose it will be up to the QSA to determine if this will be OK since there is no access to DNS from outside (already passed the External Penetration Test with 0 vulnerabilities).

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?