Community discussions

 
jcopeland
just joined
Topic Author
Posts: 3
Joined: Fri Feb 25, 2011 7:25 pm

DNS Allow Remote Requests

Mon Jun 04, 2012 7:22 pm

When I allow Remote Requests on DNS I fail a PCI scan for the following:

DNS Cache Probing
It was possible to receive answers from this DNS server for non-
recursive queries for third-party domains. For an attacker, if a DNS
answer to the non-recursive query is received, this indicates that a
domain has recently been resolved by the DNS server (and,
theoretically, other hosts that use the server). No response indicates
that the queried domain was not recently resolved. This can allow an
attacker to discover domains a queried by other hosts using this
server, which might give an indication of web-browsing habits or
domains accessed for business purposes.

If i turn it off my internal users cannot get DNS resolution. How can I make this work so I dont have to give everyone in my network a static IP address and static DNS from the ISP?

Thanks,
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Re: DNS Allow Remote Requests

Mon Jun 04, 2012 8:27 pm

Replace the in-interface with your WAN interface.
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether5 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether5 protocol=tcp
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
MtHoodlum
just joined
Posts: 14
Joined: Fri Sep 07, 2012 2:09 am

Re: DNS Allow Remote Requests

Mon Jun 23, 2014 7:31 am

DHCP Server, Networks. Use external DNS servers in your DHCP settings so your DHCP clients don't use your router for DNS lookup.

Who is online

Users browsing this forum: MSN [Bot] and 82 guests