DNS Cache Probing – GoDaddy DNS Servers Fail PCI Compliance


It has recently come to my attention that GoDaddy DNS servers are not PCI compliant, and they actually fail PCI compliance tests on several different levels. The first test that the GoDaddy DNS servers failed was DNS Cache Probing. I’ve included the specifics of the test results and failure message below.

DNS Cache Probing

It was possible to receive answers from this DNS server for nonrecursive queries for third-party domains. For an attacker, if a DNS answer to the non-recursive query is received, this indicates that a domain has recently been resolved by the DNS server (and, theoretically, other hosts that use the server). No response indicates that the queried domain was not recently resolved. This can allow an attacker to discover domains a queried by other hosts using this server, which might give an indication of web-browsing habits or domains accessed for business purposes.

Service: –
Reference: http://www.bind9.net/manual/bind/9.3.1/
Bv9ARM.ch04.html#AEN7 67
CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (Base Score:5.00)

Leave a Reply

Your email address will not be published. Required fields are marked *