| VID |
19011 |
| Severity |
30 |
| Port |
53 |
| Protocol |
UDP |
| Class |
DNS |
| Detailed Description |
The DNS server has dynamic updates enabled, and its database may be modified by malicious users.
The dynamic updates let the bind administrator update the name service information dynamically. With the dynamic updates enabled, every host can perform DNS updates (such as add, delete, and modify) against the DNS server database (namely, the resource record). Malicious users can easily launch an attack by altering the records in the DNS database.
* References:
http://www.iss.net/security_center/static/196.php
http://www.microsoft.com/technet/network/tcpip2k.asp
http://www.iss.net/security_center/static/3676.php
* Platforms Affected:
DNS Server Any version |
| Recommendation |
For Windows Platforms:
Do not enable the "Allow update" option for the Microsoft DNS server. Manually add necessary DNS RRs to the DNS database.
For UNIX/Linux:
If you use bind, add the the following option in your named.conf to disable this feature entirely:
allow-update {none;};
If dynamic update is required, run a different DNS server implementation such as ISC BIND, which accepts dynamic updates only from a list of specified hosts.
For details, See http://www.acmebw.com/resources/papers/securing.pdf |
| Related URL |
CVE-1999-0184 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
