Recusive DNS queries, DNS snopping, and PCI compliance issues



  • We're going through a PCI compliance audit, and SecurityMetrics.com scanners are telling me we have problems with the firewalling/pfSense box. I need to resolve these two issues so that we can pass this PCI compliance thing. Does anyone have any idea of:
    a) What this means?
    b) How to fix it?

    It sounds like for whatever reason pfSense is listening on port 53 on the WAN. Does it need to? I don't need to have pfSense resolve domain names for anything but things inside my 3 LANs. Is there a way to stop it from doing that?

    UDP, Port 53:
    Synopsis : The remote name server allows recursive queries to be performed by the host running the test server. Description : It is possible to query the remote name server for third party names. If this is your internal nameserver, then the attack vector may be limited to employees or guest access if allowed. If you are probing a remote nameserver, then it allows anyone to use it to resolve third party names (such as www.securitymetrics.com). This allows attackers to perform cache poisoning attacks against this nameserver. If the host allows these recursive queries via UDP, then the host can be used to 'bounce' Denial of Service attacks against another network or system. See also : http://www.cert.org/advisories/CA-1997-2 2.html http://technet.microsoft.com/en-us/libra ry/cc787602%28WS.10%29.aspx Solution: Restrict recursive queries to the hosts that should use this nameserver (such as those of the LAN connected to it). If you are using bind 8, you can do this by using the instruction 'allow-recursion' in the 'options' section of your named.conf. If you are using bind 9, you can define a grouping of internal addresses using the 'acl' command. Then, within the options block, you can explicitly state: 'allow-recursion { hosts_defined_in_acl }' If you are using another name server, consult its documentation. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N) CVE : CVE-1999-0024 BID : 136, 678 Other references : OSVDB:438  [More]
    [Hide]

    UDP, Port 53:
    Synopsis : The remote DNS server is vulnerable to cache snooping attacks. Description : The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more. Note: If this is an internal DNS server not accessable to outside networks, attacks would be limited to the internal network. This may include employees, consultants and potentially users on a guest network or WiFi connection if supported. See also : For a much more detailed discussion of the potential risks of allowing DNS cache information to be queried anonymously, please see: http://www.rootsecure.net/content/downlo ads/pdf/dns_cache_snooping.pdf Solution: Use another DNS software. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)  [More]
    [Hide]


  • Rebel Alliance Developer Netgate

    In order for that to happen, you would have had to make a firewall rule on the WAN side to allow that traffic in to the pfSense box.

    So the fix would be to remove those rules, or fix any overly permissive WAN rules you have. A screenshot of your WAN rules page would help more if you can provide one.


Log in to reply