1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Restrict recursive queries

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by lifted, May 4, 2007.

  1. lifted

    lifted LI Guru Member

    does any one know how to do this on a rv series router?
     
  2. ifican

    ifican Network Guru Member

    What are you trying to do or what are you after specifically? The router is simply a forwarder, if you have an issue specifically with recursive look ups then contact your ISP or whomever is hosting your DNS. That particular sever may not even support recursive lookups and if thats the case there is no worry.
     
  3. lifted

    lifted LI Guru Member

    its a security hole, im trying to fix it.
     
  4. ifican

    ifican Network Guru Member

    Well I still dont have enough info but to answer your question the best i can, no there is no way to stop it at the router level. You can restrict certain ip's or do other things to stop lookups as a whole but no way to restrict the type of lookup request.
     
  5. lifted

    lifted LI Guru Member

    i use nessus 3 to scan my network for security, this is what it is telling me.

    Synopsis :

    The remote name server allows recursive queries to be performed
    by the host running nessusd.


    Description :

    It is possible to query the remote name server for third party names.

    If this is your internal nameserver, then forget this warning.

    If you are probing a remote nameserver, then it allows anyone
    to use it to resolve third parties names (such as www.nessus.org).
    This allows hackers to do cache poisoning attacks against this
    nameserver.

    If the host allows these recursive queries via UDP,
    then the host can be used to 'bounce' Denial of Service attacks
    against another network or system.

    See also :

    http://www.cert.org/advisories/CA-1997-22.html

    Solution :

    Restrict recursive queries to the hosts that should
    use this nameserver (such as those of the LAN connected to it).

    If you are using bind 8, you can do this by using the instruction
    'allow-recursion' in the 'options' section of your named.conf

    If you are using bind 9, you can define a grouping of internal addresses
    using the 'acl' command

    Then, within the options block, you can explicitly state:
    'allow-recursion { hosts_defined_in_acl }'

    For more info on Bind 9 administration (to include recursion), see:
    http://www.nominum.com/content/documents/bind9arm.pdf

    If you are using another name server, consult its documentation.

    Risk factor :

    Medium / CVSS Base Score : 4
    (AV:R/AC:L/Au:NR/C:N/A:N/I:p/B:I)
    CVE : CVE-1999-0024
    BID : 136, 678
     
  6. frpet1

    frpet1 LI Guru Member

    ifican is right. This should be fixed on the nameserver itself, not in the network equipment...

    I guess you run windows DNS server. There is a checkbox to turn of recursive queries. Remember, then clients that use that nameserver for recursive queries will only be able to resolve authoritive zones after this (zones which the nameserver is "master" for).
    But you can enable forwarding (for all queries which your nameserver can't answer by itself) to your ISPs recursive nameservers. This way you solve your problem.
     
  7. aviegas

    aviegas Network Guru Member

    The are two approaches to handle issues like that:

    a) For a paranoid site, where internal users are not trusted
    b) For a reasonably well behaved internet user set

    for (b) it's simple: just ignore it, assuming that the "well behaved users" will not toy with it. This approach is consistent with using cheap SOHO routers were the primary concern is protecting the internal users from malicious attacks originating on the Internet.

    If you are on the (a) side, then you are also controlling what the internal users can do on a very detailed level, like closing all ports and opening only those that are "safe" for outbound traffic (is there such thing as a safe outbound port or is it just an illusion?). Normally SOHO routers (and I classify the RV0xx routers as SOHO) are not the best for these cases. But they can handle the stress.

    So if you are concerned about recursive DNS queries, you can do it without the help of your ISP.

    1) Set up your own internal DNS that will do whatever is required to answer user requests. I would use BIND for that and impose whatever restriction you like.

    2) On the router I would let only this DNS server send packets to/from port 53 for both UDP and TCP. This require 2 separate rules:

    - Outbound packets (internal to Internet) originating on port 53 to any port
    - Outbound packets (internal to Internet) with a destination port 53 from any port.

    Both rules are for both TCP and UDP.

    Then internal users will have to rely solely on the internal DNS that in turn can perform any query, but only according to the defined DNS restrictions (that will depend on the DNS software itself and is beyond the scope of this post).
     

Share This Page