Dynamic updates are possible on the DNS server

Posted on 2011-05-09
Last Modified: 2012-05-11
Hello Friends
We have recently done Vulnerability assessment task and one of the DNS related observation is mentioned below:

1.      Dynamic updates are possible on the DNS server
Risk       LOW
Summary        It was possible to add a record into a zone using the DNS dynamic update protocol, as described by RFC 2136. This protocol can be used by DHCP clients to enter their host names into the DNS maps
Affected Resources
CVE      NA
Exploitation       Hard
Impact       This vulnerability could be subverted by malicious users to redirect network traffic.
Solution       Limit addresses that are allowed to do dynamic updates (eg, with
BIND's 'allow-update' option) or implement TSIG or SIG (0).

Pls suggest is there any way to mitigate this risk without going for BIND service

Question by:ociadmin
    LVL 8

    Expert Comment

    Securring dynamic updates is covered in this link (allow only secure updates section):

    The article doens't mention the use of bind.

    Author Comment

    Hello npinfotech
    The article talks abt win2000 , in my case the svr OS win 2008
    LVL 8

    Expert Comment

    ah, got it.  Here's one for windows 2008 r2 directly from technet:

    Author Comment

    Thx, but its not want being asked.
    this article explain a situation where we have AD-integrated with DHCP.
    In our case AD is not integrated.
    Vulnerability report shows that since we donet have AD-integrated the dynamic updates are possible on dns servers. the solution says to remove the DNS service from win 2008 box and install BIND service and allow DNS updates from secure IPs
    LVL 8

    Accepted Solution

    If AD isn't integrated with your DNS implementation, you won't really have many options for securing minus bind/TSIG/SIG.  You might consider going with an external DNS altogether:

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
    I have put this article together as i needed to get all the information that might be available already into one general document that could be referenced once without searching the Internet for the different pieces. I have had a few issues where…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now