W2003 DNS cache snooping vulnerability for PCI-DSS compliance.

Hi everyone.
How can I solve this security vulnerability reported by Nessus(security software) with W2003's DNS ?
DNS Server Cache Snooping Remote Information Disclosure
Synopsis:
The remote DNS server is vulnerable to cache snooping attacks.
Description:
The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently
visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution.
Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more. Note: If this is an internal DNS server not accessable to outside networks, attacks would be limited to the internal network. This may include
employees, consultants and potentially users on a guest network or WiFi connection if supported.
Risk factor:
Medium
CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
See also:
http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf
Solution:
Contact the vendor of the DNS software for a fix.
Plugin output:
Nessus sent a non-recursive query for example.com and received 1 answer : 192.0.43.10
I have been searching for a solution at the web...but I was unabled to find one..that could let me to use "recursion" at our DNS server.
We have an internal DNS server for Active Directory, with a forwarding to resolve external internet domains as is a requirement by our application..but now the only way to fix this is to disable "recursion" and we are working with external IP address instead
of internet DNS names..but this is not a good solution for us.
I found something about spliting DNS functions, but my point is that we have all the servers internal and DMZ, inside the same AD domain..so we need to use the same DNS server AD integrated, notwithstanding we must resolve external DNS records for our application...How
can I do this without getting the same vulnerability again ? I don´t know how to do it disabling "recursion"..If I disable recursion I will be unable to resolve external DNS names.
Any suggestion will be really appreciated!!
thx!!

That's basically for your internet facing DNS. I wouldn't worry about it too much for internal DNS, since that's only hosting your internal AD zone.
Other than setting the "Secure cache against polution" setting, you can also opt to disable caching of all records so each and every query is a fresh query. This actually fixes CNAME vs A record TTL mismatch issues, too, not that you're probably seeing them
or not, but just wanted to add that:
Description of DNS registry entries in Windows 2000 Server, part 2 of 3 (applies to 2003, 2008 & 2008 R2)
http://support.microsoft.com/kb/813964
Cannot resolve names in certain top level domains like .co.uk.
http://blogs.technet.com/b/sbs/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx
============
To turn off or disable local cache: (WIndows 2000 notes, but they apply to all current OS's)
Set the MaxCacheTtl to 0 in the registry or use Dnscmd
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
   Value:     MaxCacheTtl
   Type:     DWORD
   Default:  NoKey (Cache for up to one day)
   Function: Set maximum caching TTL.
MaxCacheTtl
Type: DWORD
Default value: 0x15180 (86,400 seconds = 1 day)
Function: Determines how long the DNS server can save a record of a
recursive name query.
You can use the MaxCacheTtl registry entry to specify how long the DNS
server can save a record of a recursive name query.
If the value of the MaxCacheTtl entry is 0x0, the DNS server does not save
any records.
The DNS server saves the records of recursive name queries in a memory cache
so that it can respond quickly to new queries for the same name. Records are
deleted from the cache periodically to keep the cache content current. The
interval when the records remain in the cache typically is determined by the
value of the Time to Live (TTL) field in the record. The MaxCacheTtl entry
establishes the maximum time that records can remain in the cache. The DNS
server deletes records from the cache when the value of this entry expires,
even if the value of the TTL field in the record is greater.
Change method
To change the value of the MaxCacheTtl entry, use Dnscmd.exe, a tool that is
included with the Windows 2000 Support Tools. The change is effective
immediately so that you do not have to restart the DNS server.
Start method
DNS reads its registry entries only when it starts. If you change the value
of the MaxCacheTtl entry by editing the registry, the changes are not
effective until you restart the DNS server.
Note the following items: . Windows 2000 does not add the MaxCacheTtl entry
to the registry. You can add it by editing the registry or by using a
program that edits the registry.
The MaxCacheTtl entry does not affect Windows Internet Name Service
(WINS) data that is saved in the DNS memory cache. WINS data is saved until
the Cache Timeout Value on the WINS record expires. To view or change the
Cache Timeout Value on the WINS record, use the DNS snap-in. Right-click a
zone name, click Properties, click the WINS tab, and then click Advanced.
===============================
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Similar Messages

  • WRT54G and CVE-2008-1447 (DNS cache poisoning vulnerability)

    Is the WRTG54 affected by the DNS cache poisoning vulnerability described in CVE-2008-1447 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447)?
    If so, can we expect a patch, and when? Are there any steps we can do to protect ourselves from attack in the meanwhile?
    Many thanks,
    RogerB

    No, I have an acceptable external DNS provider.
    Both my XP and Debian PCs required software updates for CVE-2008-1447 according to the Microsoft and Debian websites. This suggests that the router may need similar attention, particularly as it resolves hostnames to IP addresses for me on my home network. For all I know, it may even be based on Debian (I know that routers include GPL software which requires Linksys to publish several megabytes of GPL code).
    To rephrase my question, does the firmware on the WRT54G include programs such as BIND9, which are affected by CVE-2008-1447? If so, when can we expect an update for the firmware which includes fixes for any such programs?
    As a follow on question, if the firmware does require updating, are there any settings that I can change, or actions that I can avoid, to ensure my home network remains safe from a DNS cache poisoning attack in the meantime?
    Many thanks,
    RogerB

  • PCI DSS Compliance - Requirements 5 & 6

    We are currently applying for PCI Compliance, and are required to answer the following questions. Since our solution is hosted on Windows Azure, are these questions relevant? Can anyone please suggest where we might establish the answers to these, with respect
    to our Azure environment?
    Requirement 5: Use and regularly update anti-virus software or programs
    5.1:         Is anti-virus software deployed on all systems commonly affected by malicious software?
    5.1.1:     Are all anti-virus programs capable of detecting, removing and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)?
    5.2:         Is all anti-virus software current, actively running, and generating audit logs, as follows:
    (a)          Does the anti-virus policy require updating of anti-virus software and definitions?
    (b)          Is the master installation of the software enabled for automatic updates and scans?
    (c)           Are automatic updates and periodic scans enabled?
    (d)          Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7?
    Requirement 6: Develop and maintain secure systems and applications
    6.1:
    (a) Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed?
    (b) Are critical security patches installed within one month of release?

    Have a look at Microsoft Endpoint Protection for Windows Azure.
    http://blogs.msdn.com/b/windowsazure/archive/2012/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technology-preview-now-available-for-free-download.aspx
    http://blog.maartenballiauw.be/post/2012/03/27/Protecting-Windows-Azure-Web-and-Worker-roles-from-malware.aspx

  • Achieving PCI DSS compliance of BPEL/ESB components ?

    Hi all,
    I'd like to get some input on achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS). Issues arise in particular with dehydration and audit trails vs. requirements 3.3 and 3.4.
    Has anyone looked at this and if so, how did you approach it ?
    Regards,
    Diego

    Have a look at Microsoft Endpoint Protection for Windows Azure.
    http://blogs.msdn.com/b/windowsazure/archive/2012/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technology-preview-now-available-for-free-download.aspx
    http://blog.maartenballiauw.be/post/2012/03/27/Protecting-Windows-Azure-Web-and-Worker-roles-from-malware.aspx

  • PCI DSS Compliance on Cisco ACS 5.0

    Dear
    During our recent VA we were told that the below vulnerabilities are exist in the ACS
    SSL/TLS Protocol Initialization Vector Implementation Information Disclosure
    Vulnerability on port 443
    SSL Weak Cipher Suites Supported on port 2030
    SSL Medium Strength Cipher Suites Supported on port 2030
    Can anybody kindly  guide me on how to solve these issues
    Best regards
    Muralee

    To log in to ACS server and access the CLI, use an SSH secure shell client or the console port.
    Accessing the ACS CLI
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/command/reference/CLIuse.html#wp1096003
    Regards,
    Jatin

  • DNS Cache Poisoning Signature

    Is there a signature available for the new Bind 9 DNS Cache Poisoning vulnerability/exploit.
    See reference
    http://www.securityfocus.com/bid/25037/info

    From our research on the subject, we do not believe a high-fidelity signature can be created to detect this attack. The nature of the traffic used in the attack is legitimate and as a successful attack requires some guess-work and timing, there are too many variables to detect any sort of pattern in the traffic used. The initial part of the attack occurs when a user accesses a malicious link. Standard user training should mitigate this vector if users avoid accessing unsolicited links. Updates are also available to patch systems. For more information, please see Intellishield alert number 13831:
    https://intellishield.cisco.com/security/alertmanager/basicSearch.do?dispatch=1&UID=13831
    We will continue to monitor the situation regarding this vulnerability and take appropriate action when necessary.

  • Data Security Standard PCI-DSS - SAP Datacenter

    Hello,
    one of our prospect asked the following question: Does the SAP Datacenter in Germany fullfill the requirements of PCI-DSS?
    It seems that this Standard is related to the Payment Card Processing.
    I checked all certifiates but I don´t find any infomation about that Standard.
    Best Regards
    Andreas Czech

    Hi Gina,
    Did you find good information about PCI-DSS compliance topics with SAP from this forum?  In particular we are looking at options to comply with requirement 11, File Integrity Monitoring.
    We would appreciate any guidance.
    Thank you, TMM

  • PCI DSS  - Payment Card Industry / Data Security Standard

    Hello Guru's;
    Has anyone implemented the necessary security around credit cards according to the latest PCI DSS?  If so - I'd like to chat about that.  It's no longer just encrypting the credit card information, it's much more...  Would love to hear good and bad.
    Thanks!
    Gina

    Hi Gina,
    Did you find good information about PCI-DSS compliance topics with SAP from this forum?  In particular we are looking at options to comply with requirement 11, File Integrity Monitoring.
    We would appreciate any guidance.
    Thank you, TMM

  • DNS caching problem when configuring Windows clients for SCAN

    I have a Windows 2008 R2 server running apps that connect to a RAC cluster database using the SCAN address. The SCAN address however always returns the same IP when you ping it from that server. If I flush the DNS cache I get a different address, but again the same one all the time. I believe this is caused by the fact that DNS caching is enabled on Windows by default. This has caused problems when one of the RAC nodes goes south and the cached SCAN IP is not responding. The applications lose their connections, try to reconnect, but can't because they keep using the same dead SCAN IP.
    I suggested we disable the DNS Client service on those machines so that the SCAN name correctly cycles through the addresses but the Windows admin says not to do this. Is there a documented practice somewhere that this is OK to do for Windows RAC clients? Or is there a way to disable caching just on the SCAN name but leave it enabled from every other host name?
    TIA

    What happened was the SCAN VIP did not fail over. The node VIP did not fail over. The database instance was running but I could not connect to it even locally as sysdba. I got the message "protocol adapter error". This normally only occurs on Windows for local connections when either (a) the Oracle service is not running, or (b) you didn't set the ORACLE_SID variable correctly. Neither was true.
    I tried "crsctl stop crs" but it could not stop the listeners.
    I rebooted the server. During the reboot, neither the VIP no SCAN VIPs failed over. It's almost as if CRS either didnt recognize tat the other node had been shutdown, or it didn't care.
    I have never seen this happen before.
    For the record this is Oracle RAC 11.2.0.1.

  • Lion Server DNS service not working for locally created zones. Caching working fine.

    OS Lion Server DNS service not working for local zones. Was fine under Snow leopard server but Lion server upgrade has severely broken my DNS and web sites. Zones look fine under Server Admin but keep getting "query failed (SERVFAIL) for xxxx at /SourceCache/bind9/bind9-42/bind9/bin/named/query.c:3921" in the logs. BTW - Server Admin cant seem to see the log file either.
    Surely someone actually tested that DNS still worked on Lion?

    I upgraded from Snow Leopard Server to Lion Server on day 01.  I hit the same issue where, after the upgrade, my Lion Server stopped serving names for my private local domain.
    I finally took a few minutes to figure out what was wrong.  After turning on debug logging and looking through the logs, I found my particular issue, now resolved.
    The issue I had was, when the domain initially was setup when I installed Snow Leopard Server, for some reason it created a zone just for the server (in my case, something like zone "s-01.mydomain.priv"), and a separate zone for all the other machines (zone "mydomain.priv", containing all the private IPs for my local domain).  I never messed with it because it worked, but generally I would have put all of them in the same zone.
    My zone "mydomain.priv" had a nameserver and mail exchanger entry for my server, s-01.mydomain.priv.  I could see this in the Server Admin app on the DNS bubble, Zones tab, mydomain.priv selected, and the General Info panel.  This was fine in Snow Leopard.  This was failing the zone load in the updated bind for Lion Server, though.  The issue was that the "mydomain.priv" zone was referencing the s-01.mydomain.priv server, which was not defined in the "mydomain.priv" zone but rather in the "s-01.mydomain.priv" zone.
    My fix:
    1. In Server Admin, add the server to the zone "mydomain.priv".  I put an A record (Add Machine) in the "mydomain.priv" zone for my server named s-01.mydomain.priv.
    2. shut down DNS on the OS X Lion Server (hit the Stop DNS button on Server Admin).
    3. edit /etc/named.conf by hand, removing the specialized zones that contianed just the server.  In this case, it would be the section titled 'zone "s-01.mydomain.priv"' and the section titled 'zone "3.10.1.10.in-addr.arpa"'.  Your in-addr.arpa zone name will change based on whatever your server IP address was.  My internal one happened to have s-01.mydomain.priv mapped to 10.1.10.3.
    4. Once the specialized zones for just the server were removed, I started the DNS up again.  Instead of serving four zones as it had in OS X Snow Leopard Server, it now servers two zones.  And, now, it is resolving my local machines for the mydomain.priv zone.
    YMMV.  I did note that it wasn't totally necessary to do step 3, but I never really understood the need for the specialized domain, and keeping it around would have a copy of data that would just confuse things.
    Hope that helps.  That's been the only hiccup I've noticed updating to OS X Lion Server thus far.

  • RV042G PCI DSS SSL Issues

    Looks like the RV042G needs another firmware updates as the units we have in the field are now not passing PCI DSS Scans.  Dealing with the compliance scanning companies, they are telling me that the firmware is the way to fix this.  Here are the errors reported:
    Cross-site scripting vulnerability in portalname parameter to /cgibin/userLogin.cgi - FAIL
    Description: Several types of web servers and CGI programs include the user's request in their response. For example, a request for the page http://server/nonexistent_page.html may cause server to respond: The page nonexistent_page.html does not exist on this server.
    Response splitting vulnerability in portalname parameter to /cgibin/userLogin.cgi - FAIL
    Description: Some programs on web servers place user- supplied parameters into certain HTTP headers.
    I am using port 443 for remote access to the devices.  Moving the port simply changes the reported failure to that port.  Any suggestions or has anyone heard for a firmware update coming soon for this device?
    Thanks.  John

    Hi dwyerja01,
    Unfortunately I do not think Cisco is going to do anything about this.  I have emailed my sales support contact (no response), called tech support (clueless on when or if there will be a firmware update - the only way to fix this) and posted here (no response from Cisco).
    With that said, we have begun a transition away from Cisco Small Business gear.  While this is disappointing for us, supporting their router platform is just not a priority for them (or so it seems).
    If we get lucky, maybe a new firmware will drop.  Fingers crossed!
    If I find or get more information I will post back here (please do the same).
    John

  • Clear DNS cache

    How can I clear the DNS cache?
    When I configure my webserver and change the records, I have to wait the time configured in the ttl of the specific record. I know, that I can change the ttl to a lower value, but the default value is 3 hours, so i have to wait until the time's up.
    I checked the DNS records with dig (from dnsutils). dig also shows the remaining seconds until the next refresh (dns server request). And here's my question: How can I refresh it manually? (tried a lot from the internet, but nothing helped)
    Thank you guys!
    Last edited by gummiflummi (2014-12-16 20:41:53)

    brebs wrote:Woah right there. Why do you need to *change* the records? Shouldn't happen often.
    Other than the answer stated (to test DNS settings), you might want to change records for a (self-hosted) DynDNS service. If you want a device to updated its DNS entries while being connected to a shaky cellular network, those changes might occur frequently with changing IPs.
    To the original poster: You should always set the TTL to a reasonable setting. If you didn't change the record for the last two years, then maybe a TTL of several hours (or even a day) might be OK. If you want to be able to react more quickly to emergency situations, set it lower. For a DynDNS service, TTLs below a minute might be appropriate.
    If you want to test your DNS Server, you can always query it directly (bypassing your ISP's DNS servers) with a command like this (where 1.2.3.4 is the IP of your nameserver):
    dig @1.2.3.4 your.entry.example.com
    This will usually show you the new settings right after changing.

  • Possible DNS caching problem

    I just upgraded to Lion. I am a web deveoper and I just changed the DNS settings for a new website. While everyone else in my office is seeing the new wesite at the domain, I am stuck seeing the old. I have tried the DNS cache flushing techniques below (in addition to restarting, clearing cache, etc), but none have helped:
    sudo killall -HUP mDNSResponder
    dscachutil -flushcache
    In the terminal 'host domain.com' still points to the old server too.
    Seems like OSX is holding on to the old DNS settings. Any ideas?

    Select  ▹ System Preferences ▹ Network ▹ Advanced ▹ Proxies. If any boxes are checked, uncheck them, apply your changes, and try again.  You must apply the changes before they take effect.

  • How to Flush DNS Cache in Mavericks 10.9.3

    So I have seen references to the following when searching for a cmd to flush DNS
    sudo killall -HUP mDNSResponder and sudo dscacheutil -flushcache
    Which one is proper for Mavericks 10.9.3?

    Mountain Lion, but should be applicable to Mavericks.
    DNS cache - Reset

  • Flushing the DNS cache

    I'm having trouble with a Web site when I access it on my home computer, yet this same site looks fine on my Mini at work. One section of the index page generates a "can't find server" error, and the site's own logo won't display properly. It is a free hosting site. Sometimes I can upload files to it, other times I get a can't-find-server error when I try.
    In answer to my query about this (to which I helpfully attached a screenshot of the incompletely loaded index page and its error messages), the host is telling me that I should "flush my DNS cache," which they say involves going into Terminal and giving the command "ookupd -flushcache" [sic]. (I've already surfed this briefly and the first result confirmed my suspicion that this doofus hasn't mastered copy-and-paste technique and the command actually should be "lookupd- flushcache".)
    It's not just that their site doesn't load fully, though. They have some stuff on one of their pages that they encourage users to hotlink on personal Web sites, and I have done that with one of their banners. The banner, which was fine for months, now appears on my page as a broken icon, too, although it, like the site's home page, loads fine on my computer at work.
    My first question is, is there any harm in flushing the DNS cache? The OS Daily page where I think they copied this advice from makes it sound like this is something only a Web server would need. If I do it on my home machine, could it cause problems? Could it disable my Internet connectivity?
    Second, less urgent question, more for the netgeeks out there: Do you think this is a likely solution to my problem? Especially considering that the problem involves not only their site but an element on an external site linking back to them? I hate to play the sucker for some low-level geek whose main mission is to deflect my query.
    Thanks
    Kathi

    Kathi--
    Like BDAqua says, there's nothing to worry about flushing the DNS cache. It's true that most people probably don't need to do it very often, but it's something easy and harmless to try, and it might well fix problems like yours.
    One handy feature of Safari, even if you don't use it for anything else, is the "Activity" window. Open it from the "View" menu, and watch as your page loads. You can see exactly which components on the page are loading, which aren't and where they should be coming from. If you double-click an element in that list, Safari will try to open it in a new window. That is sometimes enough to give a clue as to why something isn't working.
    You can use Safari's activity list along with the Network Utility from your Utilities folder to try to figure out why you're not getting the page elements. Suppose a graphic is listed as coming from http://www.server1.com/images/logo.jpg, but it's not loading.
    First thing I would try in the Network Utility is to see if it will respond to pings. From that example, enter "www.server1.com" on the "Ping" page of the Network Utility and see if it answers back.
    To find out if it's a DNS problem, you can use Safari's list to get the addresses of the problem elements, then see if the IP addresses match up on your computer at home to the one at work. If they don't, then it could be stale DNS.
    You can use the Network Utility for DNS lookups, but I think they're hard to read, and, since you're already thinking about using the Terminal to flush the DNS cache, you can use nslookup. It's really simple:
    <pre class="command">nslookup www.apple.com</pre>
    Will give you something like this (the first two lines will likely be different):
    Server: 208.67.222.222
    Address: 208.67.222.222#53
    Non-authoritative answer:
    www.apple.com canonical name = www.apple.com.akadns.net.
    Name: www.apple.com.akadns.net
    Address: 17.251.200.32
    If the addresses don't match, or you get a message that it can't find anything for your server, then you know it's a DNS problem. Perhaps they've changed some addresses and your home ISP's DNS servers themselves aren't updating.
    You can even use nslookup to see what different DNS servers say about an address. Just add the IP address of a DNS server after the address you want to look up:
    <pre class="command">nslookup www.apple.com 208.67.220.220</pre>
    Just do a search on the 'net for free DNS servers, and you'll find a bunch to choose from.
    charlie

Maybe you are looking for