Re: NT DNS Server leaks administrator account name in SOA record

[cgknipe () MWEB CO ZA (Chris Knipe)]

Hi...

NT puts the account name in the SOA based on who created the zone.

Simple example.  Create a user called foo.  Give foo administrative
privilidges, and then create a zone - while you are logged in with user foo.
The Zone will now have foo in the SOA record as a contact.

Whether it is the administrator's account or not, has no relevence towards
this whatsoever, and the SOA is assigned the login name of the CREATOR of
the zone file.

This behaviour is quite right, and nothing wrong with it frankly.  I mean,
if the "creator" or "administrator" of a certain DNS zone, can't have his /
her email on the contact for a SOA, what's the use of having a contact email
address in the SOA?

This is definately in no ways whatsoever directed towards anything
mis-behaving or malfunctioning within Windows NT.

Kind Regards
Chris Knipe

----- Original Message -----
From: Roy Hills <bugtraq-l () NTA-MONITOR COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: 26 June 2000 03:12
Subject: NT DNS Server leaks administrator account name in SOA record

> I've noticed that the Microsoft DNS server on NT Server 4.0 leaks the
> administrator account name in the "contact" field of the DNS SOA record
> for all zones that it is authoritative for.
>
> For example, an DNS lookup for the SOA record of "domain.com" might
> give the following answer if the built-in administrator's account name is
the
> default of "Administrator" and that account was used to add the
"domain.com"
> DNS zone:
>
> domain.com.   86400 SOA  ns.domain.com. administrator.domain.com. (
>           2000062001  ; serial
>           7200   ; refresh (2 hours)
>           3600   ; retry (1 hour)
>           1209600   ; expire (14 days)
>           86400 )   ; minimum (1 day)
>
> If the administrator account name had been renamed from the default
> "Administrator" to "Hardman", the SOA record for subsequently created
> zones would be:
>
> domain.com.   86400 SOA  ns.domain.com. hardman.domain.com. (
>           2000062001  ; serial
>           7200   ; refresh (2 hours)
>           3600   ; retry (1 hour)
>           1209600   ; expire (14 days)
>           86400 )   ; minimum (1 day)
>
> It looks like the SOA contact field is being generated from the username
> that was used to add the DNS zone using DNS manager.  Often this
> will be the built-in administrator account.
>
> I think that a better behavior would be to use a fixed generic contact
> such as "postmaster () domain com" which will always exist and doesn't
> give away any information.
>
> Most NT security guides advise administrators to rename the built-in
> Administrator account to a hard-to-guess name.  However, if the NT server
> is acting as a DNS server using Microsoft DNS server software, it is
possible
> to determine the name of the administrator account from an SOA query.
>
> It is possible to manually change the contact Email address in the SOA
record
> to prevent this information leakage, but I suspect that most people won't
> bother
> to do this and will leave it at the default.  It suggest that people who
> are concerned
> about this manually change their SOA record contact details to something
> generic like "postmaster () domain com" until a fix becomes available.
>
> I've seen this behaviour on Windows NT Server 4.0 SP4 and SP5 running the
> Microsoft DNS Server network service.  I suspect that it also occurs on
other
> service packs such as SP3 and SP6, but I've not verified this.  I've also
not
> checked if Windows2000 DNS server is affected in the same way.
>
> Regards,
>
> Roy Hills
> NTA Monitor Ltd
> --
> Roy Hills                                    Tel:   +44 1634 721855
> NTA Monitor Ltd                              FAX:   +44 1634 721844
> 14 Ashford House, Beaufort Court,
> Medway City Estate,                          Email:
Roy.Hills () nta-monitor com
> Rochester, Kent ME2 4FA, UK                  WWW:
http://www.nta-monitor.com/