DNS Server Recursive Query Cache Poisoning Weakness

This script is Copyright (C) 2000-2016 Tenable Network Security, Inc.


Synopsis :

The remote name server allows recursive queries to be performed
by the host running nessusd.

Description :

It is possible to query the remote name server for third-party
names.

If this is your internal nameserver, then the attack vector may
be limited to employees or guest access if allowed.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third party names (such as www.nessus.org).
This allows attackers to perform cache poisoning attacks against
this nameserver.

If the host allows these recursive queries via UDP, then the
host can be used to 'bounce' Denial of Service attacks against
another network or system.

See also :

http://www.nessus.org/u?c4dcf24a

Solution :

Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).

If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf.

If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command.

Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'

If you are using another name server, consult its documentation.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 4.2
(CVSS2#E:U/RL:U/RC:C)
Public Exploit Available : true

Family: DNS

Nessus Plugin ID: 10539 (bind_query.nasl)

Bugtraq ID: 136
678

CVE ID: CVE-1999-0024

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now