Test Objective:
Check if the DNS servers are vulnerable to version queries.
Analyze the reported version for vulnerabilities and available exploits.
Tools:
Linux:
dig @<ipaddress of nameserver> version.bind chaos txt ;; ANSWER SECTION: version.bind. 5 CH TXT "<span style="color: #ff0000;">PowerDNS Authoritative Server 3.3.3</span> ([email protected] built 20150610125050 [email protected])" |
Linux / Windows
nmap -sSU -p 53 --script dns-nsid <ipaddress of nameserver> Nmap scan report for ********* Host is up (0.073s latency). PORT STATE SERVICE 53/tcp open domain 53/udp open|filtered domain | dns-nsid: |_ bind.version: <span style="color: #ff0000;">PowerDNS Authoritative Server 3.3.3</span> (jenkins@autotest.powerdns.com built 20150610125050 mockbuild@ |
We can also perform the DNS version check in a passive way (indirect) via an online service:
DNS Report on http://www.dnsstuff.com/tools
It looks like we found an older version of PowerDNS with known vulnerabilities:
The documentation notes that the reported version can be changed and version queries can also be blocked.
References:
- OSTMM version 3
- 11.5.2 a Request all service banner for discovered TCP ports
- 11.5.2 b Verify service banners through interactions
- ISSAF 0.2.1B 1.1.3 – Examine Domain Name System