Bugtraq mailing list archives
NT DNS Server leaks administrator account name in SOA record
From: bugtraq-l () NTA-MONITOR COM (Roy Hills)
Date: Mon, 26 Jun 2000 14:12:51 +0100
I've noticed that the Microsoft DNS server on NT Server 4.0 leaks the administrator account name in the "contact" field of the DNS SOA record for all zones that it is authoritative for. For example, an DNS lookup for the SOA record of "domain.com" might give the following answer if the built-in administrator's account name is the default of "Administrator" and that account was used to add the "domain.com" DNS zone: domain.com. 86400 SOA ns.domain.com. administrator.domain.com. ( 2000062001 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 1209600 ; expire (14 days) 86400 ) ; minimum (1 day) If the administrator account name had been renamed from the default "Administrator" to "Hardman", the SOA record for subsequently created zones would be: domain.com. 86400 SOA ns.domain.com. hardman.domain.com. ( 2000062001 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 1209600 ; expire (14 days) 86400 ) ; minimum (1 day) It looks like the SOA contact field is being generated from the username that was used to add the DNS zone using DNS manager. Often this will be the built-in administrator account. I think that a better behavior would be to use a fixed generic contact such as "postmaster () domain com" which will always exist and doesn't give away any information. Most NT security guides advise administrators to rename the built-in Administrator account to a hard-to-guess name. However, if the NT server is acting as a DNS server using Microsoft DNS server software, it is possible to determine the name of the administrator account from an SOA query. It is possible to manually change the contact Email address in the SOA record to prevent this information leakage, but I suspect that most people won't bother to do this and will leave it at the default. It suggest that people who are concerned about this manually change their SOA record contact details to something generic like "postmaster () domain com" until a fix becomes available. I've seen this behaviour on Windows NT Server 4.0 SP4 and SP5 running the Microsoft DNS Server network service. I suspect that it also occurs on other service packs such as SP3 and SP6, but I've not verified this. I've also not checked if Windows2000 DNS server is affected in the same way. Regards, Roy Hills NTA Monitor Ltd -- Roy Hills Tel: +44 1634 721855 NTA Monitor Ltd FAX: +44 1634 721844 14 Ashford House, Beaufort Court, Medway City Estate, Email: Roy.Hills () nta-monitor com Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/
Current thread:
- Re: Force Feeding, (continued)
- Re: Force Feeding David LeBlanc (Jun 28)
- Re: Force Feeding Weld Pond (Jun 25)
- Re: Force Feeding M. Burnett (Jun 26)
- Re: Force Feeding Phonix (Jun 27)
- [suse-security-announce] SuSE Security Announcement: wuftpd-2.6 (fwd) Daniel T. Chen (Jun 27)
- DoS in FirstClass Internet Services 5.770 Adam Prime (Jun 27)
- [slackware-security] wu-ftpd remote exploit patched Christopher Kager (Jun 28)
- [SECURITY] New verion of dhcp released debian-security-announce () LISTS DEBIAN ORG (Jun 28)
- Security Bulletins Digest patrick () PINE NL (Jun 28)
- Bypassing Warnings For Invalid SSL Certificates, Part Two Frank Knobbe (Jun 28)
- NT DNS Server leaks administrator account name in SOA record Roy Hills (Jun 26)
- Re: NT DNS Server leaks administrator account name in SOA record Mikael Olsson (Jun 26)
- Re: NT DNS Server leaks administrator account name in SOA record Chris Knipe (Jun 27)