1. Introduction
The DNSSEC NSEC Records vulnerability means a remote host may reveal the hostnames of other systems in its zone file. This can allow attackers to map your network and potentially identify sensitive internal hosts. Systems running authoritative DNS servers with DNSSEC enabled are usually affected, impacting confidentiality by exposing information about your infrastructure.
2. Technical Explanation
The remote DNSSEC server uses NSEC records for negative answers to queries. These records link to other domains within the zone. An attacker can repeatedly query these linked domains to discover all hostnames in the zone file. This is a form of zone transfer, but without the usual restrictions.
- Root cause: The use of NSEC records instead of NSEC3 for dynamic negative responses.
- Exploit mechanism: An attacker queries a domain within the zone and follows the chain of NSEC records to enumerate all other domains in the zone. For example, querying ‘example.com’ might reveal ‘mail.example.com’, then querying ‘mail.example.com’ reveals further domains.
- Scope: Authoritative DNS servers running BIND, PowerDNS, Knot DNS and others with DNSSEC enabled using NSEC records are affected.
3. Detection and Assessment
You can confirm if your system is vulnerable by checking its DNS configuration and the types of records it returns.
- Quick checks: Use
digto query for NS records and check if NSEC records are returned in the answer section. - Scanning: Tools like
dnsreconcan enumerate zones using NSEC records. Note this is an example only, as results depend on configuration. - Logs and evidence: Examine DNS server logs for repeated queries for domains within your zone file from unknown sources.
dig @your_dns_server example.com NS4. Solution / Remediation Steps
The solution is to remove NSEC records and use the more secure NSEC3 signing algorithm.
4.1 Preparation
- Ensure you have access to modify your DNS server configuration. A roll back plan is to restore the original zone file and restart the service.
- Changes should be made during a scheduled maintenance window with appropriate approval from system owners.
4.2 Implementation
- Step 1: Edit your DNS server’s configuration file (e.g.,
named.conffor BIND) to enable NSEC3 signing for the affected zones. - Step 2: Restart the DNS service to apply the changes.
- Step 3: Verify that NSEC records are no longer returned and only NSEC3 records are present.
4.3 Config or Code Example
Before
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};After
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
nsec3param -J 2 REGEX -K ;
}; 4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this issue.
- Least privilege: Restrict access to DNS server configuration files to authorized personnel only, reducing the risk of accidental misconfiguration.
- Secure defaults: Use secure default configurations for your DNS server, including enabling NSEC3 signing by default where possible.
4.5 Automation (Optional)
Ansible can be used to automate configuration changes across multiple DNS servers.
---
- hosts: dns_servers
tasks:
- name: Enable NSEC3 signing in named.conf
lineinfile:
path: /etc/bind/named.conf
regexp: '^zone "example.com"'
insertafter: 'file "/etc/bind/db.example.com";'
line: ' nsec3param -J 2 REGEX -K ;'
notify: Restart bind
handlers:
- name: Restart bind
service:
name: bind9
state: restarted 5. Verification / Validation
Confirm the fix by checking DNS records and ensuring NSEC3 is used.
- Post-fix check: Run
dig @your_dns_server example.com NSand verify that only NSEC3 records are returned in the answer section. - Re-test: Repeat the initial detection scan (using
dnsrecon) to confirm that zone enumeration is no longer possible. - Monitoring: Monitor DNS server logs for any errors related to NSEC3 signing or unexpected query patterns.
dig @your_dns_server example.com NS6. Preventive Measures and Monitoring
Regular security baselines and pipeline checks can help prevent this issue.
- Baselines: Update your DNS server security baseline to require NSEC3 signing as a standard configuration setting.
- Pipelines: Integrate SAST or IaC scanning into your deployment pipelines to automatically detect insecure configurations, such as the use of NSEC records.
- Asset and patch process: Implement a regular review cycle for DNS server configurations to ensure they remain secure and compliant with security policies.
7. Risks, Side Effects, and Roll Back
Changing DNS settings can disrupt service if not done carefully.
8. References and Resources
Links to relevant documentation for this vulnerability.
- Vendor advisory or bulletin: http://blog.dest-unreach.be/2010/01/20/dnssec-the-nsec-and-nsec3-record