Re: Cache Corruption on Microsoft DNS Servers

From: Deji (deji@prontomail.com)
Date: 10/30/01 

Message-ID: <004f01c16179$ce6d9630$f701fe0a@commtouch.com>
From: "Deji" <deji@prontomail.com>
To: "Alexandre Freire" <afreire@modulo.com.br>, <focus-ms@securityfocus.com>
Subject: Re: Cache Corruption on Microsoft DNS Servers
Date: Tue, 30 Oct 2001 11:33:52 -0800

Good reading here:

http://www.sans.org/infosecFAQ/firewall/DNS_spoof.htm

Deji
----- Original Message -----
From: "Alexandre Freire" <afreire@modulo.com.br>
To: <focus-ms@securityfocus.com>
Sent: Tuesday, October 30, 2001 12:02 AM
Subject: Cache Corruption on Microsoft DNS Servers

> Hello all ;
>
> I have had a problem in one of the on the companies I'm providing
> consulting. Two of the servers are running WIndows NT 4.0 and someone has
> changed the contents of cache data. For a while (as the time we spent to
> discover the problem), the www was changed to another web site.
>
> Only the secondary DNS Server was affected. The Primary one was not
changed.
> I was trying to discover what could be happened when I realized that
threre
> is a vulnerability on the Microsoft DNS Servers that could led to Cache
> Corruption.
>
> I've found some documents that explains the vulnerability and all of them
> instructs the creation of the following registry key to avoid the attack ;
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
>
> Value Name: SecureResponses
> Data Type: REG_DWORD
> Value: 1 (To eliminate non-secure data)
>
> Are there any additional procedures I can do in order to avoid this kind
of
> attack ? The Server is running SP6a and I've applied the Microsoft
Network
> Security Hotfix Checker 3.2 in order to look for post-SP6a fixes I could
> apply to fix the DNS problem and It did not return any hotfix regarding
this
> issue.
>
> Thanks for attention.
> Regards
>
> Alex.
>
>
> The following is a copy of the Incident Note published on CERT :
>
>
> CERTŪ Incident Note IN-2001-11
> Cache Corruption on Microsoft DNS Servers
>
> Systems Affected
> Microsoft Windows NT 4.0 and Windows 2000 systems running Microsoft DNS
> Server
>
> I - Overview
> The CERT/CC has received reports from sites experiencing cache corruption
on
> systems running Microsoft DNS Server. The default configuration of this
> software allows data from malicious or incorrectly configured servers to
be
> cached in the DNS server. This corruption can result in erronous DNS
> information later being returned to any clients which use this server.
>
> II. - Description
> In the default configuration, Microsoft DNS server will accept bogus glue
> records from non-delegated servers. These bogus records will be added to
the
> cache when a client attempts to resolve a particular hostname served by a
> malicious or incorrectly configured DNS server. The client can be coerced
to
> request such a hostname as a result of an otherwise non-malicious piece of
> HTML email (such as spam) or in banner advertisements on websites, to give
> some examples.
> Based on information contained in reports of this activity, there are
sites
> actively engaged in this deceptive DNS resolution. These reports indicate
> that malicious DNS servers are providing bogus glue records for the
generic
> top-level domain servers (gtld-servers.net) potentially resulting in
> erroneous results (e.g., failed resolution or redirection) for any DNS
> request.
>
> More information about the problem can be found at
> VU#109475 - Microsoft Windows NT and 2000 Domain Name Servers allow
> non-authoritative RRs to be cached by default
> http://www.kb.cert.org/vuls/id/109475
>
> Secure server cache against names pollution
>
http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_pro_SecureCacheP
> ollutedNames.htm
>
> How to Prevent DNS Cache Pollution (Q241352)
> http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP
> http://msdn.microsoft.com/library/en-us/regentry/46753.asp
>
> Alex Freire, GCFW - Modulo Security Solutions
> Rio de Janeiro - RJ - Brazil.
>

Relevant Pages

  • DNS Cache Corrupt for individual zone
    ... We have Windows 2003 DNS servers in our internal network (behind ... We have a frustrating issue where the zone for one particular zone ... when the cache is in this state. ...
    (microsoft.public.windows.server.dns)
  • Re: GC / Login
    ... if you're doing tests on this by disconnecting the online DC at site ... to check if the clients are querying the alternative DNS servers, ... should clean the client's cache "ipconfig /flushdns". ...
    (microsoft.public.windows.server.active_directory)
  • Re: Missing A records in cache
    ... On occasion my DNS servers will lose the ability to ... Clearing the cache re-enables the ... servers ability to resolve the t-systems.at domain. ...
    (microsoft.public.windows.server.dns)
  • Re: DNS Internet
    ... we have lost that ability to view our website. ... I would like you to delete whatever delegation is created. ... provide the two DNS servers I previously posted: ... rt-click the DNS server name and choose Delete Cache (this ...
    (microsoft.public.win2000.dns)
  • Re: DNS AND BASELINE SECURITY
    ... >> root hints show up in cache. ... Once I stop and restart the ... >> This was happening on both of my external dns servers. ... > but the root hints should show on the Root Hints tab. ...
    (microsoft.public.win2000.dns)