From: mark foster (mark@foster.cc)
Date: Mon Apr 16 2007 - 00:38:00 EDT
Zhihao wrote:
> Hi,
>
> How would you guys test a dns server for holes?
>
> Here are some that i thought of..
>
> 1. Make sure it does not allow recursive queries.
> 2. Make sure it does not allow zone transfers from unauthorized hosts.
> 3. Make sure it is not vulnerable to dns cache poisoning.
>
> Anything other vectors we could look at?
>
>
Does it allow unsecured dynamic updates?
If so, you could add wpad as an A record to example.com and stealthily
capture web browser traffic from that domain.
http://mark.foster.cc/wiki/index.php/User:Fostermarkd/WPAD
Or update www or mail records. Obviously a huge problem.
Is the control channel secured (rndc for bind usually runs on port
tcp/953). It is supposed to be secured with a key.
There is also the possibility of dns cache snooping.
http://www.sysvalue.com/papers/DNS-Cache-Snooping/
-- Said one park ranger, 'There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists.' Mark D. Foster, CISSP <mark@foster.cc> http://mark.foster.cc/ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:44 EDT