?
Solved

Disable inverse query in Windows 2000 DNS

Posted on 2002-07-25
6
Medium Priority
?
432 Views
Last Modified: 2013-12-19
I ran ISS on my DNS server and got the following hit:

iquery: DNS server inverse queries

The Inverse Query(iquery) feature supported on some DNS servers could allow an attacker to obtain a zone transfer.  Zone transfers identify every computer registered with your DNS server and can be used by an attacker to better understand your network.  Even if you have disabled zone transfers on your DNS server, the iquery feature will still permit a zone transfer to occur.

Remedy:  Configure your DNS server to disable inverse queries.

Does anybody know how to disable this?

Thanks.
0
Comment
Question by:robinsonbpc
  • 4
  • 2
6 Comments
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7177237
Forgot to add, also see my question, in this same category, regarding LDAP null bind
0
 
LVL 5

Expert Comment

by:Droby10
ID: 7177351
it depends on your particular setup - but the just is to remove the arpa zone(or it's entries) from the public dns server (whether this is a slave, replicated, master, multi if <chroot'ed>, etc. service)...

but there are inverse effects you should be wary of:

if you remove the ability to perform inverse queries against hosts - you will suffer the inability to send mail to some if not most mail exchanges who require some form of name resolution.  you might also have issues with certificate services that require forward and reverse resolutions.

optimally, i would keep the zone and only include the entries needed to maintain functionality.

the biggest key here is you don't want to provide name resolution for hosts that are only used inside the network to those sitting outside the network.  especially in cases where they might be easily identified as trusted hosts or single points of failure.

0
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7180764
I found this on Google and it seems to fit here:

"I think you have "Reverse Lookups" confused with "Inverse Lookups."  They
are two distinctly separate things.  I was asking how to disable Inverse
Queries (which I have later found out that MSDNS does not do correctly any
ways, it sends the ip address back as a question to an inverse query, where
it is supposed to send the hostname.)

Reverse Lookups are handled by the IN-ADDR.ARPA files, the client sends the
server the ip address as the question and then waits for the server to send
the client back the hostname and the ip address.  Inverse queries are
handled by sending the server what would normally be considered the "answer"
(the ip-address), and asking the server to figure out what the question was
(the name of the server.)  Inverse queries do not use IN-ADDR.ARPA, they
garnish the data directly from the zone files, which is why they are so
dangerous, because they can send far more information back than a reverse
lookup could (essentially, a much more refined zone transfer.)  Also old
versions of bind had a nasty problem with buffer overflows when it came to
inverse queries.

Even though I have found out that Inverse Queries don't work correctly under
MSDNS, I'd still like to see if someone has figured out how to turn them off
(using named.boot? or some other process?)
"

I verified this information, but still have not found a way to disable inverse queries, if possible.

Thanks.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:robinsonbpc
ID: 7180805
I also should add that I did try completely deleting the reverse lookup zone and then rerunning the scan.  I still see the vulnerability show up.

Thanks.
0
 
LVL 5

Accepted Solution

by:
Droby10 earned 800 total points
ID: 7182995
you are correct, i overlooked it completely...i appologize.

according to the ms dns documentation:

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/itsolutions/network/deploy/confeat/domain.asp

, inverse queries are handled in the same manner as the bind fake-iquery statement.

this means that the information presented in an answer to an inverse query shouldn't be legitimate or valid data - but i haven't verified this.  this option is typically a default implemententation for compatibility with older resolvers.

0
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7193608
Thank you for all the help
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question