Solved

DNS Recursive Queries and Cache Snooping

Posted on 2008-10-16
3
1,766 Views
Last Modified: 2012-08-14
We have 2 public facing DNS servers on our network - both are in the DMZ, natted behind the PIX.  The company that does our vulnerability assessment says that there are security issues because they allow Recursive Queries, and DNS cache snooping.  
From what I've read on these issues, the solution is to check the "Disable recursion" box in the advanced tab of the properties on the DNS servers.
When I do that, however, I am instantly unable to browse to most sites from inside the network.  
What do I need to do to resolve these issues without affecting my internal network?

Thanks
0
Comment
Question by:brandenb
  • 2
3 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility

In short... You need to stop using servers responsible for public name resolution as a private caching servers.

Basically, in an ideal world public zones sit on servers dedicated to that task, they do not get used by internal clients directly and don't have recursion enabled to prevent unnecessary load on the servers.

Chris
0
 

Author Closing Comment

by:brandenb
Comment Utility
Tells why we are having the problem without specifically answering the question
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

That's why you have the ability to post comments in reply :-p

> What do I need to do to resolve these issues without affecting my internal network?

You need to maintain separate public and private DNS servers or you need to run BIND which will allow you to limit who is allowed to use recursive queries.

Chris
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Most DNS problems are VERY easily troubleshot and identifiable if you can follow the steps a DNS query takes. I would like to share the step-by-step a DNS query takes from the origin to the destination. _____________________________________________…
I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now