Synopsis
The remote DNS server allows dynamic updates.
Description
It was possible to add a record into a zone using the DNS dynamic update protocol, as described by RFC 2136.
This protocol can be used by DHCP clients to enter their host names into the DNS maps, but it could be subverted by malicious users to redirect network traffic.
Solution
Ignore this warning if the scanner address is in the range of IP addresses that are allowed to perform updates.
Limit addresses that are allowed to do dynamic updates (eg, with BIND's 'allow-update' option) or implement TSIG or SIG(0).
Plugin Details
File Name: dns_dyn_update.nasl
Risk Information
CVSS Score Rationale: Insecure dns record update
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS Score Source: manual
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Vulnerability Information
Required KB Items: DNS/udp/53
Exploited by Nessus: true