Solved

DNS Recursive Queries and Cache Snooping

Posted on 2008-10-16
3
1,773 Views
Last Modified: 2012-08-14
We have 2 public facing DNS servers on our network - both are in the DMZ, natted behind the PIX.  The company that does our vulnerability assessment says that there are security issues because they allow Recursive Queries, and DNS cache snooping.  
From what I've read on these issues, the solution is to check the "Disable recursion" box in the advanced tab of the properties on the DNS servers.
When I do that, however, I am instantly unable to browse to most sites from inside the network.  
What do I need to do to resolve these issues without affecting my internal network?

Thanks
0
Comment
Question by:brandenb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22738528

In short... You need to stop using servers responsible for public name resolution as a private caching servers.

Basically, in an ideal world public zones sit on servers dedicated to that task, they do not get used by internal clients directly and don't have recursion enabled to prevent unnecessary load on the servers.

Chris
0
 

Author Closing Comment

by:brandenb
ID: 31506866
Tells why we are having the problem without specifically answering the question
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 25113877

That's why you have the ability to post comments in reply :-p

> What do I need to do to resolve these issues without affecting my internal network?

You need to maintain separate public and private DNS servers or you need to run BIND which will allow you to limit who is allowed to use recursive queries.

Chris
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question