DNS Server Recursive Query Cache Poisoning Weakness

Medium Nessus Plugin ID 10539

Synopsis

The remote name server allows recursive queries to be performed
by the host running nessusd.

Description

It is possible to query the remote name server for third-party
names.

If this is your internal nameserver, then the attack vector may
be limited to employees or guest access if allowed.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third party names (such as www.nessus.org).
This allows attackers to perform cache poisoning attacks against
this nameserver.

If the host allows these recursive queries via UDP, then the
host can be used to 'bounce' Denial of Service attacks against
another network or system.

Solution

Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).

If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf.

If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command.

Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'

If you are using another name server, consult its documentation.

See Also

http://www.nessus.org/u?c4dcf24a

Plugin Details

Severity: Medium

ID: 10539

File Name: bind_query.nasl

Version: 1.48

Type: remote

Family: DNS

Published: 2000/10/27

Modified: 2018/06/27

Dependencies: 11038, 11002

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:isc:bind

Exploit Available: false

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1997/08/01

Reference Information

CVE: CVE-1999-0024

BID: 136, 678

CERT-CC: CA-1997-22