DNS Security - Tip #1

-

DNS Security



Sometimes DNS misconfigured insecurely and anyone can use this vulnerability to gathering information "Reconnaissance" for target attack even if it's an obsolete approach but it's still useful :( . The vulnerability in Zone transfer in Windows DNS which is enabled feature "allowing Zone transfer" from untrusted sources by this way you will allow anyone to obtains all Zone information about your organization such Network scheme, Server and services names...etc 

Applying below commands will get all DNS zone information if the feature "allow zone transfer to any servers" is enabled in your DNS server.


>nslookup
> server <DNS Server> 
> set type=any (to get all types of DNS records)
> ls -d <Zone Name> > InfoZone.txt (the actual transfer)

Make sure to restrict zone transfers feature in Windows environment to be allowed only from a trusted source as follows:

  • Open DNS Manager.
  • Right Click on Zone "Domain name" under "Forward lookup zone". 
  • Zone Transfers.
  • Select "Only to servers listed on the name servers tap"

DNS zone transfers are using port TCP 53 and Clients are using UDP 53 for queries.


You can run below command to determine all foreign IPs communicating with DNS server on port 53.

      Netstat  -o  |find "53"  |find "TCP"


Regards,

Comments

Post a Comment

Popular posts from this blog

How to Configure Azure MFA with Exchange Server 2013 and ADFS 2012 R2

-
Image
How to Configure Azure MFA with Exchange Server 2013 and ADFS 2012 R2 How to Configure Azure MFA with Exchange Server Introduction : I was struggling to configure Azure MFA and Exchange without to use ADFS due to Exchange doesn't have Page to type text, the only phone call will work, eventually I decided to use ADFS due to this is only the way to have MFA (OTP) with Exchange. This is a quick guide to configure Azure MFA with Exchange & ADFS In this article I will demonstrate how you will apply MFA with Exchange server which has configured to use ADFS authentication, nowadays security of any organization is mandatory especially if they have applications have published externally. MFA comes to add the additional layer of security for these applications and will make organization a tad bit secure than the traditional static password. I believe Azure MFA has most of the capabilities of MFA that any organization might be looking for. If we will talk abou...
Read more

How to exclude certain users from MFA in ADFS 3.0

-
Image
Although we do not recommend exclude any users from 2FA, but some organizations have their justifications for excluding certain users from MFA. In ADFS 3.0 (Win Server 2012 R2) doesn't have GUI to apply such policy and you need to amend on claims rule by power-shell, but it's available in Win server 2016 and later as GUI. Let assume that you applied MFA by adding group "domain users" in the edit authentication policy. You need to exclude specific users from MFA, create another security group then add required users, then apply the below custom rule : 1 :  Get the SID of domain users "S-1-5-21domain-513" and EX_MFA group. 2 : $MFAEX = 'exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "domain users' SID"]) && NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "EX_MFA's SID"]) => issue (Type = "http://sche...
Read more