DNS Server Source Port 53 Query Usage

medium Nessus Network Monitor Plugin ID 4601

Synopsis

The remote DNS server is vulnerable to a cache-poisoning attack.

Description

The remote host is running a DNS server that is configured to use port 53 as its source port for queries. This is extremely dangerous as an attacker only needs to spoof a 16-bit transaction ID in order to poison the DNS cache. A poisoned cache means that DNS clients can be directed to rogue sites and greatly simplifies phishing attacks.

Solution

Ensure that the DNS server is fully patched and can utilize a wide range of UDP source port numbers. For ISC servers, ensure that the following line does not exist within the configuration file: "query-source address * port 53;"

See Also

http://www.kb.cert.org/vuls/id/800113

Plugin Details

Severity: Medium

ID: 4601

Family: DNS Servers

Published: 7/22/2008

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5.3

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P

Temporal Vector: E:F/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Temporal Vector: E:F/RL:O/RC:C

Reference Information

CVE: CVE-2008-1447

BID: 30131

IAVA: 2008-A-0045