?
Solved

Dynamic updates are possible on the DNS server

Posted on 2011-05-09
5
Medium Priority
?
529 Views
Last Modified: 2012-05-11
Hello Friends
We have recently done Vulnerability assessment task and one of the DNS related observation is mentioned below:


1.      Dynamic updates are possible on the DNS server
Risk       LOW
Summary        It was possible to add a record into a zone using the DNS dynamic update protocol, as described by RFC 2136. This protocol can be used by DHCP clients to enter their host names into the DNS maps
Affected Resources      10.0.0.15
CVE      NA
Exploitation       Hard
Impact       This vulnerability could be subverted by malicious users to redirect network traffic.
Solution       Limit addresses that are allowed to do dynamic updates (eg, with
BIND's 'allow-update' option) or implement TSIG or SIG (0).

Pls suggest is there any way to mitigate this risk without going for BIND service

Thanks
0
Comment
Question by:ociadmin
  • 3
  • 2
5 Comments
 
LVL 8

Expert Comment

by:npinfotech
ID: 35726166
Securring dynamic updates is covered in this link (allow only secure updates section):

http://joker.tomsk.net/w2k/webfiles/modules/03m8c.htm

The article doens't mention the use of bind.
0
 

Author Comment

by:ociadmin
ID: 35726299
Hello npinfotech
The article talks abt win2000 , in my case the svr OS win 2008
0
 
LVL 8

Expert Comment

by:npinfotech
ID: 35726341
ah, got it.  Here's one for windows 2008 r2 directly from technet:

http://technet.microsoft.com/en-us/library/cc753751.aspx
0
 

Author Comment

by:ociadmin
ID: 35726381
Thx, but its not want being asked.
this article explain a situation where we have AD-integrated with DHCP.
In our case AD is not integrated.
Vulnerability report shows that since we donet have AD-integrated the dynamic updates are possible on dns servers. the solution says to remove the DNS service from win 2008 box and install BIND service and allow DNS updates from secure IPs
0
 
LVL 8

Accepted Solution

by:
npinfotech earned 2000 total points
ID: 35726431
If AD isn't integrated with your DNS implementation, you won't really have many options for securing minus bind/TSIG/SIG.  You might consider going with an external DNS altogether:

http://www.dyndns.com/
http://www.opendns.com/solutions/overview/
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
Experts-Exchange users below are the steps you can follow to upgrade your Lync server to latest CU's or cumulative updates. Note: Perform it during non-production hours.   Step 1: Backup your lync and SQL server database. Follow below article: h…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses
Course of the Month14 days, 20 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question