?
Solved

DNS Recursive Queries and Cache Snooping

Posted on 2008-10-16
3
Medium Priority
?
1,781 Views
Last Modified: 2012-08-14
We have 2 public facing DNS servers on our network - both are in the DMZ, natted behind the PIX.  The company that does our vulnerability assessment says that there are security issues because they allow Recursive Queries, and DNS cache snooping.  
From what I've read on these issues, the solution is to check the "Disable recursion" box in the advanced tab of the properties on the DNS servers.
When I do that, however, I am instantly unable to browse to most sites from inside the network.  
What do I need to do to resolve these issues without affecting my internal network?

Thanks
0
Comment
Question by:brandenb
  • 2
3 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1500 total points
ID: 22738528

In short... You need to stop using servers responsible for public name resolution as a private caching servers.

Basically, in an ideal world public zones sit on servers dedicated to that task, they do not get used by internal clients directly and don't have recursion enabled to prevent unnecessary load on the servers.

Chris
0
 

Author Closing Comment

by:brandenb
ID: 31506866
Tells why we are having the problem without specifically answering the question
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 25113877

That's why you have the ability to post comments in reply :-p

> What do I need to do to resolve these issues without affecting my internal network?

You need to maintain separate public and private DNS servers or you need to run BIND which will allow you to limit who is allowed to use recursive queries.

Chris
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Resolve DNS query failed errors for Exchange
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses
Course of the Month8 days, 9 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question