DNS Server Dynamic Update Record Injection

medium Nessus Plugin ID 35372


The remote DNS server allows dynamic updates.


It was possible to add a record into a zone using the DNS dynamic update protocol, as described by RFC 2136.

This protocol can be used by DHCP clients to enter their host names into the DNS maps, but it could be subverted by malicious users to redirect network traffic.


Ignore this warning if the scanner address is in the range of IP addresses that are allowed to perform updates.

Limit addresses that are allowed to do dynamic updates (eg, with BIND's 'allow-update' option) or implement TSIG or SIG(0).

Plugin Details

Severity: Medium

ID: 35372

File Name: dns_dyn_update.nasl

Version: 1.16

Type: remote

Family: DNS

Published: 1/15/2009

Updated: 1/25/2023

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Insecure dns record update


Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: manual


Risk Factor: Medium

Base Score: 5.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Vulnerability Information

Required KB Items: DNS/udp/53

Exploited by Nessus: true