Incomplete DNS Zone Enumeration

[rustaska]

For testing purposes I have created DNS zones with replication scopes of Domain, Forest and Legacy. Running PingCastle 3.3.0.1 will only output zones with a scope of Domain and Legacy, but not those in Forest when assessing rules A-DnsZoneAUCreateChild, A-DnsZoneUpdate1 and A-DnsZoneUpdate2.

Is this intended or a bug? To my understanding AD integrated zones have different location depending their scope: Forest: CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=local Domain: CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local Legacy: CN=MicrosoftDNS,CN=System,DC=domain,DC=local

I don't find any reference in the code for Forest based zones.

Edit: The same issue arises for setups where someone created a custom application directory partition for his DNS as replication scope and has some zones in there. Those zones are found in CN=MicrosoftDNS,DC={Partition_Name}

[JoeDibley]

Hi there, Sorry for not actually replying with a comment when you initially posted this. We have internally fixed some of these issues now and should release an update soon. I will double check the code and make sure it is resolved for all 3 risks mentioned but I am pretty sure it is.

This should be in our next 3.4.2 release.