Bugtraq mailing list archives
Re: NT DNS Server leaks administrator account name in SOA record
From: cgknipe () MWEB CO ZA (Chris Knipe)
Date: Tue, 27 Jun 2000 10:12:09 +0200
Hi... NT puts the account name in the SOA based on who created the zone. Simple example. Create a user called foo. Give foo administrative privilidges, and then create a zone - while you are logged in with user foo. The Zone will now have foo in the SOA record as a contact. Whether it is the administrator's account or not, has no relevence towards this whatsoever, and the SOA is assigned the login name of the CREATOR of the zone file. This behaviour is quite right, and nothing wrong with it frankly. I mean, if the "creator" or "administrator" of a certain DNS zone, can't have his / her email on the contact for a SOA, what's the use of having a contact email address in the SOA? This is definately in no ways whatsoever directed towards anything mis-behaving or malfunctioning within Windows NT. Kind Regards Chris Knipe ----- Original Message ----- From: Roy Hills <bugtraq-l () NTA-MONITOR COM> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: 26 June 2000 03:12 Subject: NT DNS Server leaks administrator account name in SOA record
I've noticed that the Microsoft DNS server on NT Server 4.0 leaks the administrator account name in the "contact" field of the DNS SOA record for all zones that it is authoritative for. For example, an DNS lookup for the SOA record of "domain.com" might give the following answer if the built-in administrator's account name is
the
default of "Administrator" and that account was used to add the
"domain.com"
DNS zone: domain.com. 86400 SOA ns.domain.com. administrator.domain.com. ( 2000062001 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 1209600 ; expire (14 days) 86400 ) ; minimum (1 day) If the administrator account name had been renamed from the default "Administrator" to "Hardman", the SOA record for subsequently created zones would be: domain.com. 86400 SOA ns.domain.com. hardman.domain.com. ( 2000062001 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 1209600 ; expire (14 days) 86400 ) ; minimum (1 day) It looks like the SOA contact field is being generated from the username that was used to add the DNS zone using DNS manager. Often this will be the built-in administrator account. I think that a better behavior would be to use a fixed generic contact such as "postmaster () domain com" which will always exist and doesn't give away any information. Most NT security guides advise administrators to rename the built-in Administrator account to a hard-to-guess name. However, if the NT server is acting as a DNS server using Microsoft DNS server software, it is
possible
to determine the name of the administrator account from an SOA query. It is possible to manually change the contact Email address in the SOA
record
to prevent this information leakage, but I suspect that most people won't bother to do this and will leave it at the default. It suggest that people who are concerned about this manually change their SOA record contact details to something generic like "postmaster () domain com" until a fix becomes available. I've seen this behaviour on Windows NT Server 4.0 SP4 and SP5 running the Microsoft DNS Server network service. I suspect that it also occurs on
other
service packs such as SP3 and SP6, but I've not verified this. I've also
not
checked if Windows2000 DNS server is affected in the same way. Regards, Roy Hills NTA Monitor Ltd -- Roy Hills Tel: +44 1634 721855 NTA Monitor Ltd FAX: +44 1634 721844 14 Ashford House, Beaufort Court, Medway City Estate, Email:
Roy.Hills () nta-monitor com
Rochester, Kent ME2 4FA, UK WWW:
http://www.nta-monitor.com/
Current thread:
- Re: Force Feeding, (continued)
- Re: Force Feeding M. Burnett (Jun 26)
- Re: Force Feeding Phonix (Jun 27)
- [suse-security-announce] SuSE Security Announcement: wuftpd-2.6 (fwd) Daniel T. Chen (Jun 27)
- DoS in FirstClass Internet Services 5.770 Adam Prime (Jun 27)
- [slackware-security] wu-ftpd remote exploit patched Christopher Kager (Jun 28)
- [SECURITY] New verion of dhcp released debian-security-announce () LISTS DEBIAN ORG (Jun 28)
- Security Bulletins Digest patrick () PINE NL (Jun 28)
- Bypassing Warnings For Invalid SSL Certificates, Part Two Frank Knobbe (Jun 28)
- NT DNS Server leaks administrator account name in SOA record Roy Hills (Jun 26)
- Re: NT DNS Server leaks administrator account name in SOA record Mikael Olsson (Jun 26)
- Re: NT DNS Server leaks administrator account name in SOA record Chris Knipe (Jun 27)