| VID |
19001 |
| Severity |
30 |
| Port |
53 |
| Protocol |
TCP,UDP |
| Class |
DNS |
| Detailed Description |
The name server allows DNS zone transfers to be performed.
DNS zone transfers contain lists that identify every computer registered with the DNS server in the queried zone. This information could be useful to an attacker who may use it to gain information about the topology of your network and spot new targets in performing an attack.
Microsoft DNS server may allow zone transfer requests initiated from any host by default.
* References:
http://www.iss.net/security_center/static/3678.php
http://www.iss.net/security_center/static/212.php
http://www.acmebw.com/resources/papers/securing.pdf |
| Recommendation |
Configure the DNS server to allow DNS zone transfers to only the servers that absolutely need it.
1. For Windows systems:
When a primary DNS zone is created on a Microsoft DNS server, the default zone transfer option is set to "allowed to any server". The default setting should be modified to prevent exposing DNS zone information to unauthorized systems. Using Microsoft dnsmgmt.msc management console tool, specify only a list of hosts that the DNS server should accept zone transfer requests from.
2. For UNIX systems:
1) With BIND 8, use the 'allow-transfer' substatement
options {
allow-transfer { x.x.x.x };
};
or, specific to a zone:
zone "secui.com" {
type master;
file "db.secui.com";
allow-transfer { x.x.x.x };
};
2) With BIND 4.9, use the 'xfrnets' substatement
xfrnets 210.168.119.178&255.255.255.255` |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
