Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 20627 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

cache snooping attacks

wingman
Hi All
My astaro DNS settings are the following

1)I am allowing internal network to use DNS
2)I am using openDNS to resolve and not the ISP ones
3)I have multiple static entries (in reverse) 
4)I am using dyndns

After using nessus to test my astaro box on the inside interface (IPS,port scan allowed), I got the following medium vunerability

The remote DNS server responds to queries for third-party domains
that do not have the recursion bit set. 

Explanation
================= 
Synopsis

The remote DNS server is vulnerable to cache snooping attacks.



Description

The remote DNS server responds to queries for third-party domains

that do not have the recursion bit set. 



This may allow a remote attacker to determine which domains have

recently been resolved via this name server, and therefore which hosts

have been recently visited. 



For instance, if an attacker was interested in whether your company

utilizes the online services of a particular financial institution,

they would be able to use this attack to build a statistical model

regarding company usage of that financial institution.  Of course, the

attack can also be used to find B2B partners, web-surfing patterns,

external mail servers, and more.



Note: If this is an internal DNS server not accessable to outside

networks, attacks would be limited to the internal network. This

may include employees, consultants and potentially users on

a guest network or WiFi connection if supported.



Solution

Use another DNS software.



See Also

For a much more detailed discussion of the potential risks of allowing

DNS cache information to be queried anonymously, please see:

www.rootsecure.net/.../dns_cache_snooping.pdf



Risk Factor

Medium



CVSS Base Score

 5.0 (CVSS2#AV:N/AC:L/Au:N/C[:P]/I:N/A:N)



Plugin Publication Date: 2004/04/27


How can someone resolve this?


This thread was automatically locked due to age.
Parents
  • 0

    This is a bug and should be pursued with support.  A client can request Dns lookuos with or without recursion.  If yhe client does not have the authoritative answer, it should return s pointer about where to look next.  It should not recurse to find the answer.   Spparently UTM is doing recursion even when it is soecifically told not to do so.

Reply
  • 0

    This is a bug and should be pursued with support.  A client can request Dns lookuos with or without recursion.  If yhe client does not have the authoritative answer, it should return s pointer about where to look next.  It should not recurse to find the answer.   Spparently UTM is doing recursion even when it is soecifically told not to do so.

Children
  • 0 in reply to DouglasFoster

    What has changed in the behavior of "allow-recursion" and "allow-query-cache" gives you the modifications you can make to /var/chroot-bind/etc/named.conf, Doug.  After that: /var/mdw/scripts/named restart

    Kip, I would not use the UTM as a primary, internal DNS server except in a very, very small office.  That said, internal DNS servers could have the same exposure.

    Cheers - Bob

    NOTE: Edited substantially an hour later than the time stamp - I didn't realize that much time had passed!

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Nothing to do with config.  A dns server should answer the client question the way it is asked.   If the client says "do not recurse" then it should not recurse.  Seems like a basic issue of RFC and securtity compliance.

  • 0 in reply to BAlfson

    Thanks  I do consider my PCI scoped environment to be a very small office with only about 24 devices in all (sophos, 2 switches, splunk, and 2 KVM hosts with about 8 KVM guests each). Have not seen any issues with DNS, NTP, nor DHCP for this environment. Anything more and I definitely would stand up a couple of servers for DNS, 2 more for NTP, and just forget about DHCP. For PCI I am stretching the single function per server paradigm a bit though, but every additional machine is another attack surface and another machine requiring hardening.

    I have read the recommendations but really see nothing said about how small is very, very small. Makes me wonder why those services are even provided on the Sophos.

  • 0 in reply to Kipland Iles

    Guys, I just changed my post after having thought about it some more.

    Doug, how does a client ask for a response without recursion?  Or, do you mean one that's not cached?

    When you say "the recommendations," were you speaking of DNS best practice?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hey Bob. I was really talking about https://community.sophos.com/kb/en-us/120283 but that really applied to using UTM DNS in conjunction with AD DNS. I do manage one environment where we do have AD servers but I am really talking more about using UTM DNS as the only DNS server.

    I don't remember which specific article or post that I read that suggested that the UTM DNS server should not be used as the only one. I know the first priority for UTM is firewall and routing but I have been running it as my sole DNS server in my PCI scope for a couple of years now and never had any issues with the service. This was done mainly as a convenience for adding new machines to the environment when first setup. Since, by default, new linux virtual machines come up with DHCP it was really easy to just go in afterwards and make them static, thus reserving their IPs, and making them resolvable to the other machines. I don't want to debate using DHCP in a PCI environment as that is really not a best practice either but I have other controls (Nessus and Splunk) that insure nothing else sneaks in.

    I cant speak to what kind of DNS request was issued by my internal Pen Testers, though. They used Nessus but I don't know which scan policy they used. I did expect DNS to be recursive, though, so no surprise there.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?