DNS Server Dynamic Update Record Injection

medium Nessus Plugin ID 35372

Synopsis

The remote DNS server allows dynamic updates.

Description

It was possible to add a record into a zone using the DNS dynamic update protocol, as described by RFC 2136.

This protocol can be used by DHCP clients to enter their host names into the DNS maps, but it could be subverted by malicious users to redirect network traffic.

Solution

Ignore this warning if the scanner address is in the range of IP addresses that are allowed to perform updates.

Limit addresses that are allowed to do dynamic updates (eg, with BIND's 'allow-update' option) or implement TSIG or SIG(0).

Plugin Details

Severity: Medium

ID: 35372

File Name: dns_dyn_update.nasl

Version: 1.15

Type: remote

Family: DNS

Published: 1/15/2009

Updated: 10/26/2020

Dependencies: 35371, 11002

Risk Information

Risk Factor: Medium

CVSS Score Source: manual

CVSS Score Rationale: Insecure dns record update

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS v3.0

Base Score: 5.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Vulnerability Information

Required KB Items: DNS/udp/53

Exploited by Nessus: true