Zhihao wrote:
> Hi,
>
> How would you guys test a dns server for holes?
>
> Here are some that i thought of..
>
> 1. Make sure it does not allow recursive queries.
> 2. Make sure it does not allow zone transfers from unauthorized hosts.
> 3. Make sure it is not vulnerable to dns cache poisoning.
>
> Anything other vectors we could look at?
>
>
Does it allow unsecured dynamic updates?
If so, you could add wpad as an A record to example.com and stealthily
capture web browser traffic from that domain.
http://mark.foster.cc/wiki/index.php/User:Fostermarkd/WPAD
Or update www or mail records. Obviously a huge problem.
Is the control channel secured (rndc for bind usually runs on port
tcp/953). It is supposed to be secured with a key.
There is also the possibility of dns cache snooping.
http://www.sysvalue.com/papers/DNS-Cache-Snooping/
--
Said one park ranger, 'There is considerable overlap between the
intelligence of the smartest bears and the dumbest tourists.'
Mark D. Foster, CISSP <mark@foster.cc> http://mark.foster.cc/
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
|