DNS cache poisoning

From: Tony Pizzi (anonymous_at_discussions.microsoft.com)
Date: 09/29/04


Date: Wed, 29 Sep 2004 06:31:33 -0700

We are running a WIN2K server with DNS that was exploited
with DNS cache poisoning. It was trying to redirect our
email to another server. We found what appeared to be a
fix in the MS knowledgebase article 241352.
It described the fix as follows:

Windows 2000
A Windows 2000-based DNS server can filter out the
responses for these non-secure records.

To enable this feature:
Start Registry Editor (Regedt32.exe).
Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Pa
rameters

On the Edit menu, click Add Value, and then add the
following registry value:
Value Name: SecureResponses
Data Type: REG_DWORD
Value: 1 (To eliminate non-secure data)

Quit Registry Editor.
By default, this key does not exist and non-secure data is
not eliminated from responses.

NOTE: On Windows 2000, you can perform the same entry in
the GUI. Use the following steps to do this:

Open DNS Management Console by clicking Start, Programs,
Adminstrative Tools, DNS.
Right click on the server name in the left window pane.
Choose Properties.
Choose the Advanced tab.
Place a check in the box "Secure cache against pollution".

When we checked this on the server there was no value in
the registry, but when going through the gui the Secure
cache against pollution box was checked.
Should there also be a registry setting when this check
box is enabled?
Any ideas how this server could get exploited with this
setting enabled?

ANy assistance would be greatly appreciated.