COMMAND

    DNS

SYSTEMS AFFECTED

    NT DNS Server

PROBLEM

    Roy Hills  found following.   He noticed  that the  Microsoft  DNS
    server on NT  Server 4.0 leaks  the administrator account  name in
    the "contact" field of  the DNS SOA record  for all zones that  it
    is authoritative  for.   For example,  an DNS  lookup for  the SOA
    record  of  "domain.com"  might  give  the following answer if the
    built-in  administrator's   account  name   is  the   default   of
    "Administrator" and that account was used to add the  "domain.com"
    DNS zone:

        domain.com.   86400 SOA  ns.domain.com. administrator.domain.com. (
                  2000062001  ; serial
                  7200   ; refresh (2 hours)
                  3600   ; retry (1 hour)
                  1209600   ; expire (14 days)
                  86400 )   ; minimum (1 day)

    If  the  administrator  account  name  had  been  renamed from the
    default  "Administrator"   to  "Hardman",   the  SOA   record  for
    subsequently created zones would be:

        domain.com.   86400 SOA  ns.domain.com. hardman.domain.com. (
                  2000062001  ; serial
                  7200   ; refresh (2 hours)
                  3600   ; retry (1 hour)
                  1209600   ; expire (14 days)
                  86400 )   ; minimum (1 day)

    It looks like  the SOA contact  field is being  generated from the
    username that  was used  to add  the DNS  zone using  DNS manager.
    Often this will be the built-in administrator account.

    Most  NT  security  guides  advise  administrators  to  rename the
    built-in Administrator account to a hard-to-guess name.   However,
    if the NT  server is acting  as a DNS  server using Microsoft  DNS
    server  software,  it  is  possible  to  determine the name of the
    administrator account from an SOA query.

SOLUTION

    It is  possible to  manually change  the contact  Email address in
    the  SOA  record  to  prevent  this  information leakage, but most
    people won't bother to do this  and will leave it at the  default.
    It  suggest  that  people  who  are  concerned about this manually
    change  their  SOA  record  contact  details  to something generic
    like "postmaster@domain.com" until a fix becomes available.

    NT puts the account name in the SOA based on who created the zone.
    Simple  example.    Create   a  user   called  foo.    Give    foo
    administrative privilidges, and then create a zone - while you are
    logged in with user  foo.  The Zone  will now have foo  in the SOA
    record as a  contact.  Whether  it is the  administrator's account
    or not, has no relevence  towards this whatsoever, and the  SOA is
    assigned the login name of the CREATOR of the zone file.

    All  domains  should  have  a  "postmaster"  and "hostmaster" role
    mailbox (or  distribution list,  alias, whatever).   The "correct"
    role mailbox to  use given these  two required mailboxes  would be
    "hostmaster".  Not that it  _really_ matters which one you  use as
    long as it's stated in the  SOA record.  As said, you  should have
    a "hostmaster" mailbox  regardless of which  is listed in  the SOA
    record.

    For  more  info  on  commonly  used  role mailboxes (including the
    above), please see RFC  2142: "Mailbox names for  common services,
    roles and functions":

        http://www.imc.org/rfc2142

    It's actually very informative reading and only a few pages long.