CreateDNSNode

Summary

FSProtect ACL Alias

CreateDNSNode

AD Alias

Create dnsNode objects

Affected Object Types

OUs, Domains, Containers, dnsZone objects

Exploitation Certainty

Certain

AD Right

CreateChild

AD Class

dnsNode

AD Class Guid

e0fa1e8b-9b45-11d0-afdd-00c04fd930c9

Description

The CreateDNSNode permission in Active Directory allows an account to create new DNS record objects (dnsNode) within DNS zones stored in the directory. In AD-integrated DNS, every hostname stored in a zone is backed by a dnsNode object beneath the dnsZone object in Active Directory. DNS zones are typically located under CN=MicrosoftDNS,DC=DomainDnsZones,DC=<domain> or CN=MicrosoftDNS,CN=System,DC=<domain>. This permission is used legitimately by DNS administrators and services to register new hostnames, service records, and IP mappings.

However, if misconfigured or obtained by an unauthorized principal, CreateDNSNode becomes a critical attack vector. An attacker can register names in the zone that are commonly abused for redirection or credential interception, such as wpad, isatap, internal service hostnames, or attacker-controlled subdomains. In practice, CreateDNSNode is often chained with WriteDnsRecord, GenericAll, or other DNS-zone permissions to fully weaponize the newly created node, but node creation alone is sufficient to mount classic ADIDNS spoofing attacks against name resolution. This enables LDAP relay attacks, credential capture via spoofed services, and persistent man-in-the-middle positioning within the domain.

Identification

PowerShell

Active Directory Module

Using the ActiveDirectory PowerShell module, you can enumerate explicit CreateDNSNode entries on AD-integrated DNS zones. The function enumerates all DNS-bearing naming contexts (DomainDnsZones, ForestDnsZones, and the domain partition itself) so it does not depend on the DnsServer module or on being executed on a DNS server.

1. Find-CreateDNSNode function

2. Scan all AD-integrated DNS zones

3. Scan a specific DNS zone object

4. To exclude default admin ACLs to improve visibility

.NET Directory Services

By leveraging PowerShell's built-in .NET DirectoryServices namespace, you can enumerate CreateDNSNode entries without relying on any external modules or dependencies.

1. Find-CreateDNSNodeSimple function

2. Scan all AD-integrated DNS zones

3. Scan a specific DNS zone

4. To exclude default admin ACLs to improve visibility

DNS Manager

1. Open DNS Manager on the DNS server.

2. Expand the server and locate the target zone under Forward Lookup Zones or Reverse Lookup Zones.

3. Right-click the zone and select Properties.

4. Open the Security tab.

5. Review ACEs granting Create all child objects or class-scoped CreateChild rights that apply to dnsNode creation.

Note: The Security tab in DNS Manager only surfaces a simplified view of the underlying ACL. To inspect the raw nTSecurityDescriptor of the dnsZone object, use ADSI Edit and connect to the DC=DomainDnsZones,DC=<domain>,DC=<tld> partition, then open the Security tab on the relevant dnsZone node.

DNS Manager

Exploitation

CreateDNSNode gives the attacker the ability to create the backing AD object for a hostname inside the DNS zone.

Important: Creating a dnsNode object via raw LDAP only produces an empty node. To actually publish a record, the attacker either needs to populate the dnsRecord attribute on the new node (covered by WriteDnsRecord, GenericAll, or being the creator/owner of the new object) or use a tool such as Powermad that performs both operations in one step.

Windows

Using Powermad

Powermad's New-ADIDNSNode cmdlet creates a dnsNode object directly through LDAP and populates the dnsRecord attribute, producing a fully resolvable record in one operation.

Other commonly abused names for ADIDNS spoofing include isatap, autodiscover, and any unresolved internal hostname seen on the wire.

Using the ActiveDirectory Module

When Powermad is unavailable, an empty dnsNode can be created with the built-in ActiveDirectory module. The record data must be added afterward (requires WriteDnsRecord or equivalent).

Resulting object:

Linux

Using Krbrelayx's dnstool.py:

Wildcard record for broad poisoning:

Verify from any domain-joined host:

After injecting the record, combine with Responder or ntlmrelayx to capture or relay credentials from clients resolving the spoofed hostname. Alternatively, bloodyAD exposes equivalent functionality via its dns add subcommand.

Mitigation

Dangerous Access Control Entries should be removed by following the steps below.

1. Open DNS Manager.

2. Right-click the affected zone and open the Security tab.

3. Click Advanced and inspect ACEs that allow non-admin principals to create child dnsNode objects.

4. Remove the dangerous permission entries.

5. Click OK and Apply to save the changes.

For ACEs not surfaced through DNS Manager (class-scoped CreateChild on dnsNode), open ADSI Edit, connect to the DC=DomainDnsZones,DC=<domain>,DC=<tld> partition, right-click the affected dnsZone object, choose PropertiesSecurityAdvanced, and remove the corresponding ACE there.

Additionally, audit existing dnsNode objects within sensitive zones for unexpected records, particularly wildcard entries (*).

DNS Manager

Detection

Changes that enable or abuse CreateDNSNode can be detected both at the ACL layer and at the object-creation layer.

Event ID
Category
Description
Fields/Attributes
References

5136

Audit Directory Service Changes

A directory service object was modified.

ObjectDN, AttributeLDAPDisplayName, ntSecurityDescriptor

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136

4662

Audit Directory Service Access

An operation was performed on an object.

ObjectName, AccessMask, Properties

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662

5137

Audit Directory Service Changes

A directory service object was created.

ObjectDN, ObjectClass

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137

5141

Audit Directory Service Changes

A directory service object was deleted.

ObjectDN, ObjectClass

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141

515

DNS Audit

Resource record added.

ZoneName, RecordName, RecordType, RDATA, Source-IP

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)

Detection note: Monitor for 5137 events where ObjectClass = dnsNode and the creating account is not a member of DnsAdmins or Domain Admins. Wildcard record creation (ObjectDN starting with DC=*) is especially high-signal. A strong correlation is an unexpected 5137 event under CN=MicrosoftDNS, followed by a DNS 515 event for the same record name from the same source.

References

Last updated

Was this helpful?