?
Solved

Disable inverse query in Windows 2000 DNS

Posted on 2002-07-25
6
Medium Priority
?
427 Views
Last Modified: 2013-12-19
I ran ISS on my DNS server and got the following hit:

iquery: DNS server inverse queries

The Inverse Query(iquery) feature supported on some DNS servers could allow an attacker to obtain a zone transfer.  Zone transfers identify every computer registered with your DNS server and can be used by an attacker to better understand your network.  Even if you have disabled zone transfers on your DNS server, the iquery feature will still permit a zone transfer to occur.

Remedy:  Configure your DNS server to disable inverse queries.

Does anybody know how to disable this?

Thanks.
0
Comment
Question by:robinsonbpc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7177237
Forgot to add, also see my question, in this same category, regarding LDAP null bind
0
 
LVL 5

Expert Comment

by:Droby10
ID: 7177351
it depends on your particular setup - but the just is to remove the arpa zone(or it's entries) from the public dns server (whether this is a slave, replicated, master, multi if <chroot'ed>, etc. service)...

but there are inverse effects you should be wary of:

if you remove the ability to perform inverse queries against hosts - you will suffer the inability to send mail to some if not most mail exchanges who require some form of name resolution.  you might also have issues with certificate services that require forward and reverse resolutions.

optimally, i would keep the zone and only include the entries needed to maintain functionality.

the biggest key here is you don't want to provide name resolution for hosts that are only used inside the network to those sitting outside the network.  especially in cases where they might be easily identified as trusted hosts or single points of failure.

0
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7180764
I found this on Google and it seems to fit here:

"I think you have "Reverse Lookups" confused with "Inverse Lookups."  They
are two distinctly separate things.  I was asking how to disable Inverse
Queries (which I have later found out that MSDNS does not do correctly any
ways, it sends the ip address back as a question to an inverse query, where
it is supposed to send the hostname.)

Reverse Lookups are handled by the IN-ADDR.ARPA files, the client sends the
server the ip address as the question and then waits for the server to send
the client back the hostname and the ip address.  Inverse queries are
handled by sending the server what would normally be considered the "answer"
(the ip-address), and asking the server to figure out what the question was
(the name of the server.)  Inverse queries do not use IN-ADDR.ARPA, they
garnish the data directly from the zone files, which is why they are so
dangerous, because they can send far more information back than a reverse
lookup could (essentially, a much more refined zone transfer.)  Also old
versions of bind had a nasty problem with buffer overflows when it came to
inverse queries.

Even though I have found out that Inverse Queries don't work correctly under
MSDNS, I'd still like to see if someone has figured out how to turn them off
(using named.boot? or some other process?)
"

I verified this information, but still have not found a way to disable inverse queries, if possible.

Thanks.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 1

Author Comment

by:robinsonbpc
ID: 7180805
I also should add that I did try completely deleting the reverse lookup zone and then rerunning the scan.  I still see the vulnerability show up.

Thanks.
0
 
LVL 5

Accepted Solution

by:
Droby10 earned 800 total points
ID: 7182995
you are correct, i overlooked it completely...i appologize.

according to the ms dns documentation:

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/itsolutions/network/deploy/confeat/domain.asp

, inverse queries are handled in the same manner as the bind fake-iquery statement.

this means that the information presented in an answer to an inverse query shouldn't be legitimate or valid data - but i haven't verified this.  this option is typically a default implemententation for compatibility with older resolvers.

0
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7193608
Thank you for all the help
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question