Re: [Full-disclosure] Exploiting Microsoft dynamic Dns updates

Dear Denis,

As I told before, this feature/vulnerability related with dynamic dns
updates is known for a long time. My experience has demonstrated that this
weak configuration is very common and extended between most companies and
some of the attack vectors that I exposed were never considered as a threat.

I agree with you that Windows 2003 provides more security, but that's not
the default configuration with windows 2000 server.

I was not aware of nsupdate tool so I coded Dnsfun just as a proof of
concept (not as a high-sk1llz hacker tool). It helped me to test some
configuration issues.
If it also helps people to identify risky configurations then its enough for

Andres Tarasco

2007/4/3, Denis Jedig <dj@xxxxxxxxxxxx>:

On Thu, 22 Mar 2007 11:35:18 +0100 Andres Tarasco wrote:

> By default, most Microsoft DNS servers integrated with active directory
> insecure dynamic updates for dns records.

This statement is way too broad. Creating an AD-integrated zone in Windows
Server 2003 does create a "secure updates only" zone by default. You can
influence this behavior in the zone creation wizard though.

> dnsfun exploits that weak configuration and allows remote users to
modify dns records.

I am not sure if I do see the point in rewriting nsupdate from bindtools.
am also quite uncertain if this really might count as a "hacker" or
"security" tool of any kind.

Denis Jedig
syneticon networks GbR

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages

  • Re: New Installation and many problems
    ... Ethernet adapter Server Local Area Connection: ... Connection-specific DNS Suffix. ... This condition usually indicates a configuration error. ... As I look through the list of updates in ADD/REMOVE programs, ...
  • Re: [LONG] 70-291 - DNS Dynamic Registration Problem
    ... Advanced configuration properties for DNS are at their defaults. ... Another machine, the DNS server, is assigned the static ... Think of this as "allow unsecure updates" (I really wish they ...
  • Re: NTDS Inbound neighbos removal
    ... The DSA operation is unable to proceed because of a DNS lookup ... Gathering NetBT configuration information. ... Owner of the binding path: ... Upper Component: NWLink SPX/SPXII Protocol ...
  • Re: replication between sites
    ... I have an application which would publish its info via dynamic updates to a directory integrated dns zone. ... I understand what you wrote below about the way replication works. ...
  • Re: RENDOM /end fails
    ... see Help and Support Center at ... DNS server IP address: ... For computers and users to locate this domain controller, ... This is not a recommended security configuration. ...