Results 1 to 12 of 12

Thread: Security Risk?

  1. #1
    Join Date
    Oct 2006
    Posts
    39

    Security Risk?

    I'm having a couple of security warnings popup when I run my new server through Alert Site. I was wondering what you guys had to say about it?

    #1

    The remote name server allows DNS zone transfers to be performed.
    A zone transfer will allow the remote attacker to instantly populate
    a list of potential targets. In addition, companies often use a naming
    convention which can give hints as to a servers primary application
    (for instance, proxy.company.com, payroll.company.com, b2b.company.com, etc.).

    As such, this information is of great use to an attacker who may use it
    to gain information about the topology of your network and spot new
    targets.

    Solution: Restrict DNS zone transfers to only the servers that absolutely
    need it.

    Risk factor : Medium

    CVE: CVE-1999-0532


    # 2
    The remote name server allows recursive queries to be performed
    by the host running nessusd.



    On #1 my host said I may not want to have them alter because it can cause some people not to be able to access my server. On #2 they said it is nothing to worry about. What's your guys take on this? Should I just leave it be or do I need to do something to secure these two security alerts?

  2. #2
    Join Date
    Sep 2002
    Location
    Nashville, TN
    Posts
    237
    #1 would scare me. #2 isn't a big deal.

    #1 means that anyone can request a zone transfer. What this basically does is ask the DNS server to give you the entire contents of your zone file. Normally, you have to query for specific records and the exact records are returned. This shouldn't be an issue as long as you keep in mind that anything you put in any of your zone files will always be fully available to the public.

    #2 just means that you can query the DNS server for zones which it is not authortative for. Chances are pretty good your server doesn't host google.com, but by it allowing recursive lookups it will give you an answer for google.com if you ask it. Still, not a big deal, I just know I have made it a policy for us to disable both.

    Thanks,

    Chris Miller
    ServerMotion

  3. #3
    Join Date
    Jul 2006
    Posts
    52
    I agree with Chris. It's pretty much the same routine to deal with #1 and #2. You might as well deal with both of them.

    If you run a linux box you want to look into your named.conf at...

    // IP addresses of my other name servers
    acl can_axfr {
    ipaddress;
    ipaddress;
    };

    // IP address ranges for my networks
    acl can_recurse {
    127.0.0.1/32;
    ipaddress/24;
    myothernetwork/24;
    };

    acl can_recurse

    options {
    allow-transfer { can_axfr; };
    allow-recursion { can_recurse; };
    };


    Under windows you want to go to your DNS settings, check your properties on a domain and then restrict who can run "Zone Transfers". Under windows you can disable recursion in the properties of the entire DNS server if you don't need it yourself for recursive queries.

    Graeme
    Secure your server with http://www.serverangel.com/

  4. #4
    Join Date
    Mar 2006
    Location
    New York USA
    Posts
    402
    Quote Originally Posted by rat0042
    I agree with Chris. It's pretty much the same routine to deal with #1 and #2. You might as well deal with both of them.

    If you run a linux box you want to look into your named.conf at...

    // IP addresses of my other name servers
    acl can_axfr {
    ipaddress;
    ipaddress;
    };

    // IP address ranges for my networks
    acl can_recurse {
    127.0.0.1/32;
    ipaddress/24;
    myothernetwork/24;
    };

    acl can_recurse

    options {
    allow-transfer { can_axfr; };
    allow-recursion { can_recurse; };
    };


    Under windows you want to go to your DNS settings, check your properties on a domain and then restrict who can run "Zone Transfers". Under windows you can disable recursion in the properties of the entire DNS server if you don't need it yourself for recursive queries.

    Graeme
    Yeah, this is a very common issue in Cpanel based servers. The failure to secure zone transfers can aide an attacker to populate and map the network. Bad news. Also this can allow the attacker to poision the DNS cache.

  5. #5
    Join Date
    Jun 2003
    Location
    UK
    Posts
    6,601
    They seem to leave it like this by default for their clustering setup which makes little to no sence for me. If you want to test it open a shell prompt and run

    dig @ns1.domain.com domain.com axfr

    and see what it gives back
    Russ Foster - Industry Curmudgeon

  6. #6
    Join Date
    Mar 2006
    Location
    New York USA
    Posts
    402
    You can also do it inw indows by opening a command prompy, and do the following

    nslookup

    server targetserver.tld

    set type=any

    ls -d targetserver.tld

  7. #7
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    Yeah close your open DNS servers that also stops recurrsive lookups.
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  8. #8
    Join Date
    Oct 2006
    Posts
    39
    Quote Originally Posted by rat0042
    I agree with Chris. It's pretty much the same routine to deal with #1 and #2. You might as well deal with both of them.

    If you run a linux box you want to look into your named.conf at...

    // IP addresses of my other name servers
    acl can_axfr {
    ipaddress;
    ipaddress;
    };

    // IP address ranges for my networks
    acl can_recurse {
    127.0.0.1/32;
    ipaddress/24;
    myothernetwork/24;
    };

    acl can_recurse

    options {
    allow-transfer { can_axfr; };
    allow-recursion { can_recurse; };
    };


    Under windows you want to go to your DNS settings, check your properties on a domain and then restrict who can run "Zone Transfers". Under windows you can disable recursion in the properties of the entire DNS server if you don't need it yourself for recursive queries.

    Graeme
    That's a little above my head, I'm pretty new to linux, but I've got managed hosting on a linux box running WHM/cPanel.

    What should I tell my host so they know how to properly set it for me and don't just tell me that it may make my site unable to be found by some people? Thanks in advance!

  9. #9
    Join Date
    Mar 2006
    Location
    New York USA
    Posts
    402
    There is a patch for it in BIND9 from what i gather.

  10. #10
    Join Date
    Jul 2006
    Posts
    52
    Sorry topicw was away for the weekend.

    A DNS server answers lots of types of requests. There are 2 that you are trying to restict.

    1. The transfer request being open, means anyone on the internet can ask your name server for a complete listing of your DNS, so they will know every detail about your DNS. If you have development servers, subdomains etc. So the "allow-transfer" option is so that you specify who is allowed to run a transfer. And you don't want anyone, other than your other nameservers to be able to do that.

    2. The other issue you have is that anyone in the world can use your server to lookup any name. So people on the internet in Tibet can use your server to lookup the IP address of google, yahoo or their favorite porn site. So the allow-recursion is there so that you restrict people looking up websites other than yours. That doesn't affect people looking up website domains that your nameserver is in charge of. So even if you restrict the allow-recursion to only your home machine, the rest of the world will still be able to look up www.<yourdomain>.com on that nameserver.

    So contact you hosting company and ask them to please restrict recursion and transfers from your DNS.

    If they don't know or understand what you mean, find another host quickly.
    Secure your server with http://www.serverangel.com/

  11. #11
    Join Date
    Jul 2006
    Location
    Sterling, VA
    Posts
    19

    Wink

    Yes, Rat0042 is right. The Recursive DNS can and SHOULD be disabled for omptial performance for your own domains to resolve. If you leave these open to hackers, you are susceptible to having your machine be used in a dns amplification attack and be answering the the FBI as well. This is something that should be taken seriously. Setting up your own Namesservers is tricky, having to contantly update the latest Bind release - however it is very necessary as Bind has more security holes than a prison without guards.

    So, I recommend taking the diligence or leaving yourself susceptible to cache poisoning, ddos attacks, latency, and being a public service for tibet as was mentioned (very true).

    my 2 cents - not that im an expert or anything
    James Dobbs
    Biz Dev Director
    Neustar UltraDNS
    (703) 547-6001

  12. #12
    Join Date
    Oct 2006
    Posts
    39
    Thanks for all the great replies! We've notified our host and have got it fixed now I think.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •