« Backtrack CD and Nessus 3 | Home | OSSEC HIDS »
Nessus, PIX and DNS
By klard | June 27, 2006
I have been vulnerability scanning a network and have come upon something I think is odd. The network is behind a Cisco PIX firewall and there is a Microsoft DNS server running in the network doing DNS lookups and recursion for the internal domain. The firewall is set up to do one-to-one mapping for several IP addresses and it just so happens this DNS server is running another service that needs to be accesed from outside the firewall, however there is no access list rule to allow dns in from the outside.
So anyway I run a nessus scan and it shows DNS being served up through the firewall from this box. Now my thought is…..the PIX has an implicit deny rule at the end of the access list, there is no explicit rule allowing DNS through the firewall…..so how the heck is nessus finding it and doing recursive lookups when it scans the IP. At this point I went in and added an explicit rule to deny udp to this IP that is equal to domain (cisco’s name for dns) and run the scan again with the same results.
This definitely requires further investigation.
Update…..It looks strongly like the culprit in this is an ISA proxy server. What I noticed was that when I scanned any address from this particular location it showed I had a recursive DNS server on the host. More investigation revealed an ISA proxy server in the middle that looks like it passes all traffic except DNS requests which it handles itself. So any time nessus tries to scan port 53 the ISA proxy replies and nessus sees an open port, then of course it tests for recursion and reports back the port is open, etc, etc.
My meandering thought on this…..you would think Nessus would be smart enough not only to know, but to inform the operator that some host Other than the target host is responding.