Microsoft DNS Server vulnerability to DNS Server Cache snooping attacks


Symptoms


//www.simpledns.com/kb.aspx?kbid=1250 describes DNS cache snooping as:

DNS cache snooping is when someone queries a DNS server in order to find out (snoop) if the DNS server has a specific DNS record cached, and thereby deduce if the DNS server's owner (or its users) have recently visited a specific site.
This may reveal information about the DNS server's owner, such as what vendor, bank, service provider, etc. they use. Especially if this is confirmed (snooped) multiple times over a period.
This method could even be used to gather statistical information - for example at what time does the DNS server's owner typically access his net bank etc. The cached DNS record's remaining TTL value can provide very accurate data for this.

DNS cache snooping is possible even if the DNS server is not configured to resolve recursively for 3rd parties, as long as it provides records from the cache also to 3rd parties (a.k.a. "lame requests").

Security audits may report that various DNS Server implementations are vulnerable to cache snooping attacks that allow a remote attacker to identify which domains and hosts have [recently] been resolved by a given name server.

Once such cache snooping vulnerability report reads:

DNS Server Cache Snooping Remote Information Disclosure

Synopsis:
The remote DNS server is vulnerable to cache snooping attacks.

Description:
The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more. Note: If this is an internal DNS server not accessable to outside networks, attacks would be limited to the internal network. This may include employees, consultants and potentially users on a guest network or WiFi connection if supported.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

See also:
http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf

Solution:
Contact the vendor of the DNS software for a fix.

Cause


This error is typically reported on DNS Severs that perform recursion

Resolution


There is no code fix as this is a configuration choice.

Options are to

  1. Leave recursion enabled if the DNS Server resides on a corporate network that cannot be reached by untrusted clients

    OR

  2. Do not allow public access to DNS Servers performing recursion

    OR

  3. Disable recursion

More Information


By default, Microsoft DNS Servers are configured to allow recursion.

Name recursion can be disabled globally on a Microsoft DNS Server but cannot be disabled on a per-client or per-interface basis.

The majority of Microsoft DNS Servers are co-installed with the Domain Controller server role. Such servers typically host zones and resolve DNS names for devices | appliances, member clients, member servers and domain controllers in an Active Directory forest but may also resolve names for larger parts of a corporate network.  Since Microsoft DNS Servers are typically deployed behind firewalls on corporate networks, they are generally not accessible to untrusted clients.  Administrators of servers in this setting should consider whether disabling or limiting DNS recursion is necessary.

Disabling recursion globally is not a configuration change that should be taken lightly as it means that the DNS server cannot resolve any DNS names on zones that are not held locally . This requires some careful DNS planning. For example, clients cannot typically be pointed directly at such servers. 

The decision to disable recursion (or not) must be made based on what role the DNS server is meant to perform within the deployment. If the server is meant to recurse names on behalf of its clients, recursion cannot be disabled. If the server is meant to return data only out of local zones and is never meant to recurse or forward on behalf of clients, then recursion may be disabled.

Related Links

Disable Recursion on the DNS Server (W2K8 R2)  - http://technet.microsoft.com/en-us/library/cc771738.aspx
Disable recursion on the DNS server (W2K3 and W2K3 R2) - http://technet.microsoft.com/en-us/library/cc787602(v=WS.10).aspx
How DNS query works - http://technet.microsoft.com/en-us/library/cc775637(v=WS.10).aspx
Recursive and Iterative Queries - http://technet.microsoft.com/en-us/library/cc961401.aspx
Recursive Name Resolution - http://technet.microsoft.com/en-us/library/cc755941(v=ws.10).aspx
DNS Cache Snooping - http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf