DNS Zone Allowing Unsecure Update
Cayosoft Threat Definition CTD-000091
Protect Your Active Directory
Tune into Guardians of the Directory Podcast.
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content
Risk Summary
An unsecure dynamic update in a DNS zone allows any device authenticated or not to modify DNS records.
This can enable attackers to redirect network traffic, impersonate legitimate services, and harvest credentials.
- Severity: Critical
- Platform: Active Directory
- Category: DNS, Infrastructure
- MITRE ATT&CK Tactics: Defense Evasion, Credential Access
- MITRE D3FEND Tactics: Application Configuration Hardening
Description
Microsoft DNS supports dynamic updates, enabling devices to register and update their DNS records automatically.
However, if the zone is configured for Unsecure and Secure updates, no authentication is required for a DNS update request.
This opens several risks:
- Record Hijacking: Attackers replace an existing host record (e.g., a domain controller or web server) with their own IP address.
- Credential Theft: Redirecting authentication traffic to a rogue server for password capture.
- Service Disruption: Overwriting service records to break legitimate application connectivity.
Cayosoft Guardian detects and flags DNS zones where unsecure dynamic updates are allowed.
Real-World Scenario
A DNS zone for corp.local is configured for unsecure dynamic updates.
An attacker connected to the internal network issues a DNS update request, replacing the IP of dc01.corp.local with their own machine’s IP.
When users attempt to log in, authentication requests are sent to the attacker, who captures NTLM hashes.
Cayosoft Guardian would have detected the unsecure update setting and alerted before exploitation.
Kill Hybrid Drift Before It Becomes Risk with Cayosoft Guardian
Continuous monitoring of every change—who/what/when, no blind spots.
How to Detect (Cayosoft Guardian)
1.) Sign in to Cayosoft Guardian Threat Detection Dashboard.
2.) View All Alerts and search for CTD-000091 or DNS zone allowing unsecure update
3.) Open the alert and click Click for details from the Raise Threat Alert action.
4.) Review Evidence:
- Distinguished Name
Remediation Steps
1.) Using the remediation advice in Cayosoft Guardian, follow these steps to remove the vulnerability:
If changes occurred before Cayosoft Guardian was installed, consider restoring default permissions
2.) Click Start → Administrative Tools → DNS
3.) In the DNS console:
- Double-click the applicable DNS server.
- Expand Forward Lookup Zones or Reverse Lookup Zones.
- Right-click the affected zone → Properties.
3.) On the General tab:
- Ensure the zone type is Active Directory-integrated.
- In Dynamic updates, select Secure only.
3.) Click OK to apply changes.
How to Prevent It
Cayosoft Guardian can proactively detect and alert on DNS zones allowing unsecure updates. It continuously monitors Active Directory, Entra ID, Microsoft 365, and Intune for over 200 misconfigurations, providing early warning before attackers can exploit them.
FAQ
Yes. Even on isolated networks, an internal compromise or rogue device can exploit them.
Secure updates require Active Directory authentication and enforce ACL-based permissions; unsecure updates accept changes from any source.
Final Thought
An unsecure DNS update setting is like leaving your company’s map editable by strangers and attackers will gladly redraw it to lead your users straight into their traps.