1. Introduction
Nessus was able to obtain version information on the remote DNS server. This means an attacker could potentially identify known vulnerabilities in your DNS software, increasing the risk of compromise. Systems commonly affected are servers running a DNS service, typically those publicly accessible but also internal ones used for name resolution. A successful exploit could lead to data breaches, denial-of-service attacks, or system takeover.
2. Technical Explanation
Nessus identifies the DNS server version by sending a special TXT record query. The server may respond with its version information. This information isn’t always accurate and can be forged if configured incorrectly. An attacker could use this information to target specific vulnerabilities in your DNS software.
- Root cause: The DNS server responds to TXT queries with version details, potentially exposing sensitive information.
- Exploit mechanism: An attacker sends a TXT query and uses the returned version string to identify potential exploits.
- Scope: All servers running a DNS service are affected, regardless of operating system or software vendor.
3. Detection and Assessment
You can confirm if your system is vulnerable by checking its DNS server configuration and responses to TXT queries.
- Quick checks: Use the
nsdigcommand to query for the version record. For example,nsdig @your_dns_server TXT SOA yourdomain.com. Look for a version string in the output. - Scanning: Nessus vulnerability ID 16382 can be used to detect this issue. Other scanners may have similar checks.
- Logs and evidence: Check DNS server logs for incoming TXT queries. The exact log location varies depending on your DNS software.
nsdig @your_dns_server TXT SOA yourdomain.com4. Solution / Remediation Steps
The best solution is to review and restrict the information provided by your DNS server.
4.1 Preparation
- Ensure you have access to restore the original configuration if needed. A roll back plan is to restore from the backed-up config file.
- Changes may require a change window and approval from system owners.
4.2 Implementation
- Step 1: Review your DNS server configuration for settings that expose version information.
- Step 2: Disable or restrict the response to TXT queries if possible, or configure it to return minimal information.
- Step 3: Restart the DNS service to apply the changes.
4.3 Config or Code Example
Before
;Example BIND configuration showing version information
options {
version "9.16.24";
};After
;Example BIND configuration with version information removed or commented out
//options {
// version "9.16.24";
//};4.4 Security Practices Relevant to This Vulnerability
- Practice 1: Least privilege – limit the amount of information exposed by your DNS server.
- Practice 2: Secure defaults – configure your DNS server with minimal functionality and only enable necessary features.
4.5 Automation (Optional)
Automation is not generally suitable for this vulnerability due to variations in DNS software configurations.
5. Verification / Validation
Confirm the fix by re-running the detection methods and verifying that version information is no longer exposed.
- Post-fix check: Run
nsdig @your_dns_server TXT SOA yourdomain.comagain. The output should not contain a version string. - Re-test: Re-run the Nessus scan (ID 16382) and confirm that it no longer reports the vulnerability.
- Monitoring: Monitor DNS server logs for unexpected TXT queries or errors.
nsdig @your_dns_server TXT SOA yourdomain.com6. Preventive Measures and Monitoring
- Baselines: Update security baselines to include recommendations for restricting information exposure in DNS servers.
- Pipelines: Include checks in CI/CD pipelines to ensure that DNS configurations adhere to security standards.
- Asset and patch process: Regularly review DNS server configurations as part of your asset management process.
7. Risks, Side Effects, and Roll Back
8. References and Resources
- Vendor advisory or bulletin: No specific vendor advisory available for this general information disclosure issue.
- NVD or CVE entry: No specific CVE associated with this detection method.
- Product or platform documentation relevant to the fix: Refer to your DNS server software documentation for configuration options related to TXT records and version information.