Solved

Disable inverse query in Windows 2000 DNS

Posted on 2002-07-25
6
416 Views
Last Modified: 2013-12-19
I ran ISS on my DNS server and got the following hit:

iquery: DNS server inverse queries

The Inverse Query(iquery) feature supported on some DNS servers could allow an attacker to obtain a zone transfer.  Zone transfers identify every computer registered with your DNS server and can be used by an attacker to better understand your network.  Even if you have disabled zone transfers on your DNS server, the iquery feature will still permit a zone transfer to occur.

Remedy:  Configure your DNS server to disable inverse queries.

Does anybody know how to disable this?

Thanks.
0
Comment
Question by:robinsonbpc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7177237
Forgot to add, also see my question, in this same category, regarding LDAP null bind
0
 
LVL 5

Expert Comment

by:Droby10
ID: 7177351
it depends on your particular setup - but the just is to remove the arpa zone(or it's entries) from the public dns server (whether this is a slave, replicated, master, multi if <chroot'ed>, etc. service)...

but there are inverse effects you should be wary of:

if you remove the ability to perform inverse queries against hosts - you will suffer the inability to send mail to some if not most mail exchanges who require some form of name resolution.  you might also have issues with certificate services that require forward and reverse resolutions.

optimally, i would keep the zone and only include the entries needed to maintain functionality.

the biggest key here is you don't want to provide name resolution for hosts that are only used inside the network to those sitting outside the network.  especially in cases where they might be easily identified as trusted hosts or single points of failure.

0
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7180764
I found this on Google and it seems to fit here:

"I think you have "Reverse Lookups" confused with "Inverse Lookups."  They
are two distinctly separate things.  I was asking how to disable Inverse
Queries (which I have later found out that MSDNS does not do correctly any
ways, it sends the ip address back as a question to an inverse query, where
it is supposed to send the hostname.)

Reverse Lookups are handled by the IN-ADDR.ARPA files, the client sends the
server the ip address as the question and then waits for the server to send
the client back the hostname and the ip address.  Inverse queries are
handled by sending the server what would normally be considered the "answer"
(the ip-address), and asking the server to figure out what the question was
(the name of the server.)  Inverse queries do not use IN-ADDR.ARPA, they
garnish the data directly from the zone files, which is why they are so
dangerous, because they can send far more information back than a reverse
lookup could (essentially, a much more refined zone transfer.)  Also old
versions of bind had a nasty problem with buffer overflows when it came to
inverse queries.

Even though I have found out that Inverse Queries don't work correctly under
MSDNS, I'd still like to see if someone has figured out how to turn them off
(using named.boot? or some other process?)
"

I verified this information, but still have not found a way to disable inverse queries, if possible.

Thanks.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:robinsonbpc
ID: 7180805
I also should add that I did try completely deleting the reverse lookup zone and then rerunning the scan.  I still see the vulnerability show up.

Thanks.
0
 
LVL 5

Accepted Solution

by:
Droby10 earned 200 total points
ID: 7182995
you are correct, i overlooked it completely...i appologize.

according to the ms dns documentation:

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/itsolutions/network/deploy/confeat/domain.asp

, inverse queries are handled in the same manner as the bind fake-iquery statement.

this means that the information presented in an answer to an inverse query shouldn't be legitimate or valid data - but i haven't verified this.  this option is typically a default implemententation for compatibility with older resolvers.

0
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7193608
Thank you for all the help
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Configure File History in Windows 10 Pro 13 103
Top cover replacement dell latitude d620 12 104
Understanding Security Log Events 2 69
domain controllers numbers 4 100
A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
An article on effective troubleshooting
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question