Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Disable inverse query in Windows 2000 DNS

Posted on 2002-07-25
6
Medium Priority
?
430 Views
Last Modified: 2013-12-19
I ran ISS on my DNS server and got the following hit:

iquery: DNS server inverse queries

The Inverse Query(iquery) feature supported on some DNS servers could allow an attacker to obtain a zone transfer.  Zone transfers identify every computer registered with your DNS server and can be used by an attacker to better understand your network.  Even if you have disabled zone transfers on your DNS server, the iquery feature will still permit a zone transfer to occur.

Remedy:  Configure your DNS server to disable inverse queries.

Does anybody know how to disable this?

Thanks.
0
Comment
Question by:robinsonbpc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7177237
Forgot to add, also see my question, in this same category, regarding LDAP null bind
0
 
LVL 5

Expert Comment

by:Droby10
ID: 7177351
it depends on your particular setup - but the just is to remove the arpa zone(or it's entries) from the public dns server (whether this is a slave, replicated, master, multi if <chroot'ed>, etc. service)...

but there are inverse effects you should be wary of:

if you remove the ability to perform inverse queries against hosts - you will suffer the inability to send mail to some if not most mail exchanges who require some form of name resolution.  you might also have issues with certificate services that require forward and reverse resolutions.

optimally, i would keep the zone and only include the entries needed to maintain functionality.

the biggest key here is you don't want to provide name resolution for hosts that are only used inside the network to those sitting outside the network.  especially in cases where they might be easily identified as trusted hosts or single points of failure.

0
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7180764
I found this on Google and it seems to fit here:

"I think you have "Reverse Lookups" confused with "Inverse Lookups."  They
are two distinctly separate things.  I was asking how to disable Inverse
Queries (which I have later found out that MSDNS does not do correctly any
ways, it sends the ip address back as a question to an inverse query, where
it is supposed to send the hostname.)

Reverse Lookups are handled by the IN-ADDR.ARPA files, the client sends the
server the ip address as the question and then waits for the server to send
the client back the hostname and the ip address.  Inverse queries are
handled by sending the server what would normally be considered the "answer"
(the ip-address), and asking the server to figure out what the question was
(the name of the server.)  Inverse queries do not use IN-ADDR.ARPA, they
garnish the data directly from the zone files, which is why they are so
dangerous, because they can send far more information back than a reverse
lookup could (essentially, a much more refined zone transfer.)  Also old
versions of bind had a nasty problem with buffer overflows when it came to
inverse queries.

Even though I have found out that Inverse Queries don't work correctly under
MSDNS, I'd still like to see if someone has figured out how to turn them off
(using named.boot? or some other process?)
"

I verified this information, but still have not found a way to disable inverse queries, if possible.

Thanks.
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 1

Author Comment

by:robinsonbpc
ID: 7180805
I also should add that I did try completely deleting the reverse lookup zone and then rerunning the scan.  I still see the vulnerability show up.

Thanks.
0
 
LVL 5

Accepted Solution

by:
Droby10 earned 800 total points
ID: 7182995
you are correct, i overlooked it completely...i appologize.

according to the ms dns documentation:

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/itsolutions/network/deploy/confeat/domain.asp

, inverse queries are handled in the same manner as the bind fake-iquery statement.

this means that the information presented in an answer to an inverse query shouldn't be legitimate or valid data - but i haven't verified this.  this option is typically a default implemententation for compatibility with older resolvers.

0
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7193608
Thank you for all the help
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question