PCI Scan 發現AD Server 有DNS Cache Probing

的pci scan不能通過,原因查到是我們的ad server冇dns cache probing的問題

我們公司的電腦和server大部分dns也是指向ad server的,trustwave 的建議是停止外部的dns查詢,請問要怎樣做呢?



Why and When to Flush Your DNS Cache In Windows


It was possible to receive answers from this DNS server for non-recursive queries for third-party domains. For an attacker, if a DNS answer to the non-recursive query is received, this indicates that a domain has recently been resolved by the DNS server (and, theoretically, other hosts that use the server). No response indicates that the queried domain was not recently resolved. This can allow an attacker to discover domains a queried by other hosts using this server, which might give an indication of web-browsing habits or domains accessed for business purposes.

It is important to restrict who can perform DNS queries, in addition to what is allowed to be queried. If this DNS server is only meant to be recursively queried by internal users for third-party domains, then there is no reason to allow the general internet to also perform queries against it. If the server is meant only to act as a nameserver for specific domains, then recursive queries should be disabled as it is unnecessary for the server to resolve anything other than its own domains. If the server is used for *both* third-party recursive queries in addition to acting as a nameserver for specific domains, then split DNS needs to be implemented (see the references below). Split DNS can be implemented either physically (one DNS server for recursive queries, and another for acting as a nameserver for domains), or through the use of access control lists (acls) in the server's configuration (BIND supports this).
hon2006 iT邦大師 1 級 ‧ 2016-10-27 10:01:20 檢舉
ivan2789 iT邦新手 5 級 ‧ 2016-10-28 17:31:47 檢舉
感謝大大答覆,但有點看不太懂,請問是否用下面這個方法就能解決問題呢?因為很多網內電腦和SERVER都連著這個做DNS SERVER,請問會有什麼影響嗎?

At the end..I found the right configuration!! IT was:

a- Delete all the root-hints.

b- Configure forwarding.

c- Set the parameter MaxCacheTTL = 0

d- Restart the service.

With all this options, when a client sends a recursive query it works ok and resolve the DNS-to-IP:

If you try to execute a norecursive query with the same DNS name:

So at this point I consider this vulnerability solved..becouse anyone can't know if you have visited a site before.

Another issue is tha Nessus scan is still reporting this to be possible after this configuration, but I am sure that this is another kind of problem, I have contacted Nessus to review this and fix it. Becouse I am pretty sure that with a norecursive query..It is impossible to resolve even If you have previously query with a recursive query.

Thx all for your help, I hope this post could help others to address this vulnerability.