Registry key for "QueryIpMatching"

From: Makoto Shiotsuki (shio@st.rim.or.jp)
Date: 07/30/02


Date: Tue, 30 Jul 2002 13:30:41 +0900
To: focus-ms@securityfocus.com
From: Makoto Shiotsuki <shio@st.rim.or.jp>

As described in the CERT Vulnerability Note VU#458659, there is
a registry entry "QueryIpMatching" to prevent W2K DNS resolver
from accepting responses from non-queried DNS servers.

Many documents including VU#458659, ISS X-Force#4280, and DNS
white papers from Microsoft indicate that the registry location
for "QueryIpMatching" is;

  HKLM\System\CurrentControlSet\Services\Dnscache\Parameters

But as far as I and another person tried, correct location is;

  HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

This registry location (...\Tcpip\Parameters) is described in
"Microsoft Windows 2000 TCP/IP Implementation Details".

I hope this confusion will be cleared up.

References:

  CERT/CC Vulnerability Note VU#458659
  http://www.kb.cert.org/vuls/id/458659

  ISS X-Force win2k-dns-resolver (4280)
  http://www.iss.net/security_center/static/4280.php

  DNS Caching, Network Prioritization, and Security
  http://www.microsoft.com/
         technet/prodtechnol/winxppro/reskit/prjj_ipa_vitx.asp

  Microsoft Windows 2000 TCP/IP Implementation Details
  http://www.microsoft.com/
         TechNet/itsolutions/network/deploy/depovg/tcpip2k.asp

(Thanks Noda-san for the testing ;)

Makoto Shiotsuki