Title

Forwarders on an authoritative Windows 2000/2003 DNS server are not disabled. (Cat II impact)

Discussion

Windows DNS has historically been more vulnerable to cache poisoning attacks than BIND as the algorithm used for answering recursive queries also makes it more prone to self-imposed denial of service attacks and as an amplification device for attacks on other DNS servers. Additionally, Windows DNS does not allow for the fine-grained access control restrictions (i.e., limiting the clients that are able to perform recursion) that are allowed by BIND and other recursive DNS appliances. Therefore, Windows 2000/2003 DNS should not be deployed as a caching name server. Consequently, the use of forwarders and recursion is prohibited on Windows 2000/2003 DNS servers.

Check Content

Windows DNS should not be deployed as a caching name server. Consequently, the use of forwarders and recursion is prohibited on Windows 2000/2003 DNS. The reviewer will validate that the "Enable Forwarders" check box is not selected on the “Forwarders” tab of the name server properties. If forwarders are enabled, then this is a finding.

Fix Text

The SA should disable forwarding (on the Forwarders tab of the name servers properties dialog box).

Additional Identifiers

Rule ID: SV-4503r1_rule

Vulnerability ID: V-4503

Group Title: Forwarders not disabled on Windows DNS server.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.