PCI - Remote DNS Server is vulnerable to cache snooping

[fuzioneer]

Been working through pickups for pci compliance

last deal breaker is the following:-

The remote DNS server is vulnerable to cache snooping attacks. Risk:
High UDP Port:
53
The remote DNS server responds to queries for third-party domains
that do not have the recursion bit set.

This may allow a remote attacker to determine which domains have
recently been resolved via this name server, and therefore which hosts
have been recently visited.

For instance, if an attacker was interested in whether your company
utilizes the online services of a particular financial institution,
they would be able to use this attack to build a statistical model
regarding company usage of that financial institution. Of course, the
attack can also be used to find B2B partners, web-surfing patterns,
external mail servers, and more.

Note: If this is an internal DNS server not accessable to outside
networks, attacks would be limited to the internal network. This
may include employees, consultants and potentially users on
a guest network or WiFi connection if supported.

Solution:
Use another DNS software.

lol the solution seems a bit crude, anyone who is knowledge tell me what i can do to resolve this ?

[Spiral]

If you are using bind in it's default state, it does have limited 3rd party recursion and zone transfers but you can reconfigure that easy enough to only allow to local address and resolvers that actually have a legitimate need to be directly communication with your server.

[qdixon]

Spiral, Can you be a little more specific as what to change and where?

[Spiral]

Tell you what ....

Email me a copy of your /etc/resolv.conf and a capture of your "ifconfig" and from that I can probably write you up a quite list of the lines you need to insert and patch to your /etc/named.conf

[fuzioneer]

I can disable recursion quite easily but this causes a huge issue as the store that operates on the same server cannot then complete the checkout process, it literally gets to a certain point and then goes to a blank screen

tested this a few times and it is repeatable, with recursion enabled checkout operates fine, with recursion disabled the checkout dails.

OsCommerce derivative is the framework used on the store btw