← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:35372 · Disclosed 2009-01-15

DNS Server Dynamic Update Record Injection

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is leaving the building directory unlocked and hoping nobody swaps the room numbers

Tenable plugin 35372 is not a software bug with a vendor patch; it is a live misconfiguration check. The scanner verified that the authoritative DNS server accepted an unauthenticated RFC 2136 dynamic update and allowed insertion of a record into a zone. In practice, that means any affected DNS zone on any server version is vulnerable as configured: BIND zones with permissive allow-update, Windows DNS zones set to nonsecure and secure updates, or any other authoritative implementation that accepts unsigned updates from arbitrary clients.

The original MEDIUM label undersells the operational risk. This is direct integrity compromise of the naming system, and DNS is upstream of web, mail, certificate issuance, service discovery, and AD-adjacent trust decisions. I am upgrading it to HIGH because exploitation is low-friction and unauthenticated once the attacker can reach the authoritative server; I am stopping short of CRITICAL because this is usually an internal-reachability problem, not Internet-scale wormable RCE, and modern defaults on major platforms are safer than the misconfig Tenable found.

"If this finding is real, any reachable host can rewrite your DNS truth. That's not a medium."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Identify an updatable authoritative zone

The attacker uses normal DNS enumeration tools such as dig or nslookup to determine the authoritative server and zone, then confirms the target speaks DNS on port 53. This is trivial because NS records and SOA data are meant to be discoverable.
Conditions required:
  • Network reachability to the authoritative DNS server on UDP/TCP 53
  • Knowledge of the zone name and authoritative server, which DNS typically discloses
Where this breaks in practice:
  • Many authoritative servers are not reachable from untrusted networks
  • Split-horizon DNS and internal ACLs can limit who can even hit the target
Detection/coverage: Nessus plugin 35372 detects this well because it actively tests whether an update is accepted.
STEP 02

Send an unsigned RFC 2136 update with nsupdate or dnspython

Using nsupdate or a custom script, the attacker sends an UPDATE packet to add or replace an RRset such as A, AAAA, MX, TXT, or CNAME. If the zone accepts nonsecure updates, the server commits the change without requiring TSIG, Kerberos-backed secure update, or another authentication layer.
Conditions required:
  • Zone accepts unsigned dynamic updates from arbitrary clients or weakly trusts source IP
  • Attacker can send a valid DNS UPDATE packet
Where this breaks in practice:
  • Windows AD-integrated zones default to secure only updates, which blocks this
  • BIND disables dynamic updates by default and recommends TSIG-based policy instead of IP ACLs
Detection/coverage: Passive scanners may miss this; active validation is needed. DNS server audit/debug logging can show UPDATE activity if enabled.
STEP 03

Let the change propagate to the zone's truth set

On primary/secondary setups, the accepted update lands on the primary or is forwarded there, then propagates via IXFR/replication. Research shows the attacker often needs only one accepted update packet to create a globally resolvable malicious record.
Conditions required:
  • The accepting server is authoritative directly or can forward updates to the primary
  • Zone transfer/replication functions normally
Where this breaks in practice:
  • If updates are accepted only from a specific host and anti-spoofing is strong, exploitation gets harder
  • Tight change monitoring on authoritative zones may catch the insertion quickly
Detection/coverage: Look for unexpected journal changes, IXFR churn, AD-integrated DNS record ownership anomalies, and new subdomains resolving to unknown IPs.
STEP 04

Cash out via hijack, MITM, mail interception, or shadow domains

The attacker repoints A/AAAA records, changes MX, inserts validation TXT/CNAME, or creates stealth subdomains. That enables domain hijack, email interception, phishing infrastructure, certificate validation abuse, or internal WPAD/ADIDNS abuse depending on where the zone is used.
Conditions required:
  • Victims or services rely on the poisoned records
  • The attacker controls infrastructure to receive the redirected traffic
Where this breaks in practice:
  • User-facing hijack is noisy and often short-lived
  • TLS, HSTS, mail protections, and service-specific auth can reduce post-poisoning impact
Detection/coverage: External DNS monitoring, CT log monitoring, mail-flow anomalies, and DNS diffing can catch the blast radius; many vuln scanners stop at the update acceptance check and do not monitor ongoing abuse.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo authoritative KEV-listed CVE maps to this Tenable item, and I found no current vendor-confirmed active exploitation campaign specific to tenable:35372. That said, public research and offensive tradecraft show this class is absolutely exploitable when present.
Proof-of-concept availabilityCommodity-grade. nsupdate is the standard weapon here, dnspython can do the same programmatically, and AD-focused abuse paths are documented by NetSPI with tools like Powermad.
EPSSN/A — this is a misconfiguration finding, not a CVE, so there is no FIRST EPSS score or percentile.
KEV statusN/A — CISA KEV is CVE-based. As of the current CISA KEV catalog page, this finding is not trackable there because Tenable 35372 has no CVE ID.
CVSS baselineTenable scores it 5.8 / MEDIUM with CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N. The integrity-only framing is too narrow because DNS integrity is an upstream trust primitive.
Affected deploymentsAny authoritative DNS zone that accepts unauthenticated RFC 2136 updates. Examples: BIND zones with permissive allow-update; Windows DNS zones configured for nonsecure and secure updates; other implementations that trust unsigned clients.
Fixed stateThere is no patched version because this is configuration-driven. Safe states are: dynamic updates disabled, TSIG/SIG(0) enforced, BIND update-policy with keys, or Windows AD-integrated zones set to Secure only.
Exposure dataThe 2024 study by Nosyk et al. scanned 353,870,510 domains and found 381,965 vulnerable domains and 5,575 nameservers accepting unsolicited updates. That is only about 0.108% of domains, so the population is not broad — but where present, exploitation is one-packet simple.
Disclosure / research timelineRFC 2136 dates to 1997-04; Tenable published plugin 35372 on 2009-01-15; large-scale prevalence research was published on 2024-05-30.
Researcher / reporting orgsTenable for detection content; academic prevalence work by Yevheniya Nosyk, Maciej Korczyński, Carlos H. Gañán, Michał Król, Qasim Lone, and Andrzej Duda; practical AD abuse tradecraft published by NetSPI.
04 · The Call

noisgate verdict.

Final Verdict
UPGRADED to HIGH (8.0/10)

The decisive factor is that this is unauthenticated DNS write access, not a passive weakness. Once an attacker can reach the authoritative server, exploitation is straightforward and the blast radius reaches every service that trusts that zone, but it is usually constrained by network position and non-default configuration rather than being a universal pre-auth Internet RCE class issue.

HIGH This is a real misconfiguration exposure, not a theoretical bug class
MEDIUM Enterprise-wide urgency without knowing whether the affected server is externally reachable or only internally scoped

Why this verdict

  • Up from vendor MEDIUM: Tenable's 5.8 score models this as low-grade integrity impact, but in reality DNS is a trust root for web, mail, service routing, and certificate validation.
  • Low attacker friction once reachable: the attacker needs only unauthenticated network access to port 53 and a standard tool like nsupdate; no creds, no user interaction, no exploit dev.
  • But this is usually post-initial-access or limited-reach: many affected servers are internal AD/BIND authorities, which means the requirement often implies the attacker is already on-net or on a permitted segment.
  • Population is narrow, impact is not: modern defaults are safer and the 2024 Internet-scale study found a small vulnerable fraction, but the specific hosts that *do* accept unsigned updates are dangerously exposed.
  • No evidence-driven emergency override: there is no KEV/CVE linkage or verified active campaign forcing an 'immediate within hours' posture.

Why not higher?

I am not calling this CRITICAL because the main brake is exposure scope. In many enterprises, authoritative update paths are internal-only or limited to DHCP/DC infrastructure, which makes this more of a high-consequence reachable misconfiguration than a broadly reachable Internet kill chain starter. There is also no current KEV signal or widespread exploitation evidence tied to this exact Tenable item.

Why not lower?

I am not leaving this at MEDIUM because the scanner already proved the dangerous condition exists. This is not a soft hardening recommendation like 'tighten ciphers'; it is a direct unauthenticated modification path into your DNS data, and attackers can use it to redirect traffic, intercept mail, or mint shadow infrastructure with almost no tooling cost.

05 · Compensating Control

What to do — in priority order.

  1. Set Windows zones to Secure only — For AD-integrated Microsoft DNS zones, switch any affected zone from Nonsecure and secure to Secure only and complete this within 30 days. This removes anonymous update capability while preserving legitimate Kerberos-backed dynamic registration.
  2. Replace IP-based update trust with TSIG or update-policy — On BIND and similar servers, move away from permissive allow-update and use TSIG/SIG(0) or narrowly scoped update-policy rules within 30 days. IP-only trust is brittle and UDP source spoofing makes it a weak boundary.
  3. Disable dynamic updates where not required — If a zone does not genuinely need RFC 2136, turn it off within 30 days. The cleanest control is removing the write surface entirely rather than trying to monitor bad writes forever.
  4. Restrict who can reach authoritative update targets — Limit UDP/TCP 53 access to the exact DHCP servers, domain controllers, or management hosts that need it, and deploy that network control within 30 days. This does not replace secure updates, but it sharply cuts the reachable attacker population.
  5. Turn on DNS update auditing and diff monitoring — Enable DNS server audit/debug logs and compare zone contents against an approved baseline within 30 days. You want evidence of unexpected UPDATE activity and ownership anomalies before the attacker quietly converts this into mail or web redirection.
What doesn't work
  • Relying on DNSSEC alone does not help; DNSSEC protects response authenticity to resolvers, not unauthorized writes at the authoritative source.
  • Using only an IP allowlist for updates is not enough; RFC 2136 commonly rides over UDP, and research shows spoofed-source updates can bypass weak ACL models.
  • Patching endpoint agents or browsers does nothing here; the exposure lives on the authoritative DNS server configuration.
  • Perimeter firewalls alone are insufficient if the authoritative server is reachable from internal segments; this is often an inside-the-network abuse path.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or jump host that can reach the target authoritative DNS server, not from the DNS server itself. Invoke it as ./check-ddns.sh example.com 192.0.2.53; it needs nsupdate and dig, no local admin privileges, but it will briefly add and then remove a test TXT record if the server is vulnerable.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-ddns.sh
# Active test for unauthenticated RFC 2136 dynamic updates.
# Usage: ./check-ddns.sh <zone> <dns_server>
# Example: ./check-ddns.sh example.com 192.0.2.53
# Exit codes:
#   0 = PATCHED (or update refused)
#   1 = VULNERABLE
#   2 = UNKNOWN (tooling/network/problem determining state)

set -u

ZONE="${1:-}"
SERVER="${2:-}"

if [[ -z "$ZONE" || -z "$SERVER" ]]; then
  echo "UNKNOWN: usage: $0 <zone> <dns_server>"
  exit 2
fi

if ! command -v nsupdate >/dev/null 2>&1; then
  echo "UNKNOWN: nsupdate not found"
  exit 2
fi

if ! command -v dig >/dev/null 2>&1; then
  echo "UNKNOWN: dig not found"
  exit 2
fi

ZONE="${ZONE%.}"
STAMP="$(date +%s)"
LABEL="_noisgate-${STAMP}-$$"
FQDN="${LABEL}.${ZONE}."
VALUE="noisgate-probe-${STAMP}"
TMP_ADD="$(mktemp)"
TMP_DEL="$(mktemp)"
cleanup() {
  rm -f "$TMP_ADD" "$TMP_DEL"
}
trap cleanup EXIT

cat > "$TMP_ADD" <<EOF
server ${SERVER}
zone ${ZONE}
update add ${FQDN} 60 TXT \"${VALUE}\"
send
EOF

ADD_OUT="$(nsupdate -v "$TMP_ADD" 2>&1 || true)"

# Give the authoritative server a moment to commit/replicate locally.
sleep 2

DIG_OUT="$(dig +time=3 +tries=1 +short @${SERVER} ${FQDN} TXT 2>/dev/null || true)"

if printf '%s' "$DIG_OUT" | grep -Fq "${VALUE}"; then
  cat > "$TMP_DEL" <<EOF
server ${SERVER}
zone ${ZONE}
update delete ${FQDN} TXT
send
EOF
  nsupdate -v "$TMP_DEL" >/dev/null 2>&1 || true
  echo "VULNERABLE"
  exit 1
fi

if printf '%s' "$ADD_OUT" | grep -Eiq 'connection refused|timed out|no servers could be reached|network is unreachable|temporary failure'; then
  echo "UNKNOWN"
  exit 2
fi

# If the server did not publish the inserted record, treat refusal/non-acceptance as patched.
# Common safe responses include REFUSED, NOTAUTH, NOTZONE, or silent non-acceptance.
echo "PATCHED"
exit 0
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat every tenable:35372 hit as a DNS integrity incident waiting to happen and validate whether the scanner truly inserted a record versus being an allowed updater. Under the noisgate mitigation SLA, apply compensating controls within 30 days: move Windows zones to Secure only, replace permissive RFC 2136 update paths with TSIG/update-policy, disable dynamic updates where unnecessary, and restrict port 53 reachability to legitimate updaters. There is no vendor software patch for this one, so under the noisgate remediation SLA use the 180-day window to finish permanent configuration standardization, re-scan every authoritative zone, and document exceptions where the scanner IP was intentionally authorized to update records.

Sources

  1. Tenable Plugin 35372
  2. Tenable IOE: Unsecure Dynamic DNS Zone Updates Allowed
  3. Microsoft Learn: Dynamic DNS Update in Windows and Windows Server
  4. IETF RFC 2136: Dynamic Updates in the Domain Name System
  5. BIND 9 documentation: Advanced Configurations / Dynamic Update
  6. Nosyk et al. 2024: Don't Get Hijacked
  7. NetSPI: Exploiting Active Directory-Integrated DNS
  8. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.