M> We have a "in house" app wich scan the network and search
M> for vulnerabilities according to our security policies.
M> One of those findings refers to DNS IQUERY Enabled, and
M> the solution is simply to disable inverse query.
You have an application, written by people at your organisation, that tells
you (a) that "DNS IQUERY is enabled" and (b) that you are to "disable inverse
queries".
Your application is suspect. Question the authors of the application, to find
out what it is actually testing and what results prompt such messages to be
given.
Hint: I suspect that you'll find that if Microsoft's DNS server is responding
at all, it is sending dummy responses to inverse queries, just like ISC's BIND
does when the "fake-iquery" option is enabled. (I have no tools for sending
inverse queries, and so way to test what Microsoft's DNS server does with
them. But it is highly likely that what I suspect is in fact the case, given
what I said before about inverse query support in other DNS server
softwares.) At least one purported "vulnerability scanner", Cybercop, has
been known to incorrectly draw attention to such dummy responses as being a
security problem when in fact they are not. Perhaps the application that the
people at your organisation have written also reports false positives.
