November 7, 2008

How to Secure your DNS Server

While conducting most of our penetration
tests, we often find a very common DNS vulnerability. In order for us to understand
this vulnerability, we first need to know what a DNS server is. DNS servers are responsible
for name resolution, convertingName Addressesto IP addresses. It is true
that a company’s DNS server contains records of a variety of objects such as hosts,
server and services. In order to synchronize and update, DNS servers transfer
their records to other requesting DNS servers. DNS servers should only transfer zone
information between authorized servers. This
is where the problem resides; sometimes these servers are configured to allow “anonymous”
transfers, meaning that anyone can request a zone transfer without proper authentication
or authorization. By not restricting Anonymous Zone Transfers, companies sometimes
jeopardize the overall security of their infrastructure.

The following procedure shows you how to check if
your server is vulnerable and allowing “anonymous” zone transfers.

Open the command line and type:

nslookup

set query=nslt;- this
command will seach for a domains name server.

acme.com lt;- Specify
your domain.

set type=any lt;- Specify
what type ofrecord you want to get.

server ns1.acme.com lt;- specify
the name server.

ls acme.comlt;- this
will request a record listing or transfer.

If the results appear to be something like this, then
your DNS server is configured to allow anonymous zone transfers.

[ns1.acme.com]

acme.com. A hhh.hhh.hhh.hhh

acme1.com. NS server
= ns1.acme.com

acme2.com. NS server
= ns2.acme.com

mail1

A uuu.uuu.uuu.uuu

mail2 A ddd.ddd.ddd.ddd

www A uuu.uuu.uuu.uuu

web2 A iii.iii.iii.iii

 

Remediation: How to correct
this problem on Windows 2003 Server.

  1. Log on to your DNS
    server
    .
  1. Go to the Administrative
    tools
    and Open the DNS management console.

  1. Expand your local server and crawl down to your primary
    lookup zone
    .
  1. Right click on the zone and select properties.
  1. Go to the Zone
    Transfers
    tab.

 

  1. Make sure the Allow
    Zone Transfer
    box is checked.

  1. Select the option Only
    to servers listed on the Name Servers tab

Before:

After:

  • Select OK.

Remediation: How to correct this problem
on UNIX or Linux.

To secure your BIND server, you must open the /etc/named.conf (or
/etc/named.boot) file in a text editor and find the line marked “allow-transfer
{ any; };
” which indicates that any IP address is allowed to get zone information.
In this example, I want to allow zone transfers to take place only between my Red
Hat 8 server, my Windows NT server with IP address 192.168.1.4, and another server
with IP address 172.16.1.5. Therefore, I will change the allow-transfer line to read
like the following:
allow-transfer{192.168.1.4;
172.16.1.5; };