ociadmin
asked on
Dynamic updates are possible on the DNS server
Hello Friends
We have recently done Vulnerability assessment task and one of the DNS related observation is mentioned below:
1. Dynamic updates are possible on the DNS server
Risk LOW
Summary It was possible to add a record into a zone using the DNS dynamic update protocol, as described by RFC 2136. This protocol can be used by DHCP clients to enter their host names into the DNS maps
Affected Resources 10.0.0.15
CVE NA
Exploitation Hard
Impact This vulnerability could be subverted by malicious users to redirect network traffic.
Solution Limit addresses that are allowed to do dynamic updates (eg, with
BIND's 'allow-update' option) or implement TSIG or SIG (0).
Pls suggest is there any way to mitigate this risk without going for BIND service
Thanks
We have recently done Vulnerability assessment task and one of the DNS related observation is mentioned below:
1. Dynamic updates are possible on the DNS server
Risk LOW
Summary It was possible to add a record into a zone using the DNS dynamic update protocol, as described by RFC 2136. This protocol can be used by DHCP clients to enter their host names into the DNS maps
Affected Resources 10.0.0.15
CVE NA
Exploitation Hard
Impact This vulnerability could be subverted by malicious users to redirect network traffic.
Solution Limit addresses that are allowed to do dynamic updates (eg, with
BIND's 'allow-update' option) or implement TSIG or SIG (0).
Pls suggest is there any way to mitigate this risk without going for BIND service
Thanks
ASKER
Hello npinfotech
The article talks abt win2000 , in my case the svr OS win 2008
The article talks abt win2000 , in my case the svr OS win 2008
ah, got it. Here's one for windows 2008 r2 directly from technet:
http://technet.microsoft.com/en-us/library/cc753751.aspx
http://technet.microsoft.com/en-us/library/cc753751.aspx
ASKER
Thx, but its not want being asked.
this article explain a situation where we have AD-integrated with DHCP.
In our case AD is not integrated.
Vulnerability report shows that since we donet have AD-integrated the dynamic updates are possible on dns servers. the solution says to remove the DNS service from win 2008 box and install BIND service and allow DNS updates from secure IPs
this article explain a situation where we have AD-integrated with DHCP.
In our case AD is not integrated.
Vulnerability report shows that since we donet have AD-integrated the dynamic updates are possible on dns servers. the solution says to remove the DNS service from win 2008 box and install BIND service and allow DNS updates from secure IPs
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://joker.tomsk.net/w2k/webfiles/modules/03m8c.htm
The article doens't mention the use of bind.