Solved

Disable inverse query in Windows 2000 DNS

Posted on 2002-07-25
6
403 Views
Last Modified: 2013-12-19
I ran ISS on my DNS server and got the following hit:

iquery: DNS server inverse queries

The Inverse Query(iquery) feature supported on some DNS servers could allow an attacker to obtain a zone transfer.  Zone transfers identify every computer registered with your DNS server and can be used by an attacker to better understand your network.  Even if you have disabled zone transfers on your DNS server, the iquery feature will still permit a zone transfer to occur.

Remedy:  Configure your DNS server to disable inverse queries.

Does anybody know how to disable this?

Thanks.
0
Comment
Question by:robinsonbpc
  • 4
  • 2
6 Comments
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7177237
Forgot to add, also see my question, in this same category, regarding LDAP null bind
0
 
LVL 5

Expert Comment

by:Droby10
ID: 7177351
it depends on your particular setup - but the just is to remove the arpa zone(or it's entries) from the public dns server (whether this is a slave, replicated, master, multi if <chroot'ed>, etc. service)...

but there are inverse effects you should be wary of:

if you remove the ability to perform inverse queries against hosts - you will suffer the inability to send mail to some if not most mail exchanges who require some form of name resolution.  you might also have issues with certificate services that require forward and reverse resolutions.

optimally, i would keep the zone and only include the entries needed to maintain functionality.

the biggest key here is you don't want to provide name resolution for hosts that are only used inside the network to those sitting outside the network.  especially in cases where they might be easily identified as trusted hosts or single points of failure.

0
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7180764
I found this on Google and it seems to fit here:

"I think you have "Reverse Lookups" confused with "Inverse Lookups."  They
are two distinctly separate things.  I was asking how to disable Inverse
Queries (which I have later found out that MSDNS does not do correctly any
ways, it sends the ip address back as a question to an inverse query, where
it is supposed to send the hostname.)

Reverse Lookups are handled by the IN-ADDR.ARPA files, the client sends the
server the ip address as the question and then waits for the server to send
the client back the hostname and the ip address.  Inverse queries are
handled by sending the server what would normally be considered the "answer"
(the ip-address), and asking the server to figure out what the question was
(the name of the server.)  Inverse queries do not use IN-ADDR.ARPA, they
garnish the data directly from the zone files, which is why they are so
dangerous, because they can send far more information back than a reverse
lookup could (essentially, a much more refined zone transfer.)  Also old
versions of bind had a nasty problem with buffer overflows when it came to
inverse queries.

Even though I have found out that Inverse Queries don't work correctly under
MSDNS, I'd still like to see if someone has figured out how to turn them off
(using named.boot? or some other process?)
"

I verified this information, but still have not found a way to disable inverse queries, if possible.

Thanks.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Author Comment

by:robinsonbpc
ID: 7180805
I also should add that I did try completely deleting the reverse lookup zone and then rerunning the scan.  I still see the vulnerability show up.

Thanks.
0
 
LVL 5

Accepted Solution

by:
Droby10 earned 200 total points
ID: 7182995
you are correct, i overlooked it completely...i appologize.

according to the ms dns documentation:

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/itsolutions/network/deploy/confeat/domain.asp

, inverse queries are handled in the same manner as the bind fake-iquery statement.

this means that the information presented in an answer to an inverse query shouldn't be legitimate or valid data - but i haven't verified this.  this option is typically a default implemententation for compatibility with older resolvers.

0
 
LVL 1

Author Comment

by:robinsonbpc
ID: 7193608
Thank you for all the help
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now