Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: testing dns servers

From: mark foster <mark () foster cc>
Date: Sun, 15 Apr 2007 21:38:00 -0700
Zhihao wrote:

Hi,

How would you guys test a dns server for holes?

Here are some that i thought of..

1. Make sure it does not allow recursive queries.
2. Make sure it does not allow zone transfers from unauthorized hosts.
3. Make sure it is not vulnerable to dns cache poisoning.

Anything other vectors we could look at?

  

Does it allow unsecured dynamic updates?
If so, you could add wpad as an A record to example.com and stealthily
capture web browser traffic from that domain.
http://mark.foster.cc/wiki/index.php/User:Fostermarkd/WPAD

Or update www or mail records. Obviously a huge problem.

Is the control channel secured (rndc for bind usually runs on port
tcp/953). It is supposed to be secured with a key.

There is also the possibility of dns cache snooping.
http://www.sysvalue.com/papers/DNS-Cache-Snooping/

-- 
Said one park ranger, 'There is considerable overlap between the 
 intelligence of the smartest bears and the dumbest tourists.'
Mark D. Foster, CISSP <mark () foster cc>  http://mark.foster.cc/


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: