DNS cache poisoning

From: Tony Pizzi (anonymous_at_discussions.microsoft.com)
Date: 09/29/04

Date: Wed, 29 Sep 2004 06:31:33 -0700

We are running a WIN2K server with DNS that was exploited
with DNS cache poisoning. It was trying to redirect our
email to another server. We found what appeared to be a
fix in the MS knowledgebase article 241352.
It described the fix as follows:

Windows 2000
A Windows 2000-based DNS server can filter out the
responses for these non-secure records.

To enable this feature:
Start Registry Editor (Regedt32.exe).
Locate the following key in the registry:

On the Edit menu, click Add Value, and then add the
following registry value:
Value Name: SecureResponses
Data Type: REG_DWORD
Value: 1 (To eliminate non-secure data)

Quit Registry Editor.
By default, this key does not exist and non-secure data is
not eliminated from responses.

NOTE: On Windows 2000, you can perform the same entry in
the GUI. Use the following steps to do this:

Open DNS Management Console by clicking Start, Programs,
Adminstrative Tools, DNS.
Right click on the server name in the left window pane.
Choose Properties.
Choose the Advanced tab.
Place a check in the box "Secure cache against pollution".

When we checked this on the server there was no value in
the registry, but when going through the gui the Secure
cache against pollution box was checked.
Should there also be a registry setting when this check
box is enabled?
Any ideas how this server could get exploited with this
setting enabled?

ANy assistance would be greatly appreciated.

Relevant Pages

  • Re: the effects on running dcpromo to fix anAD issue.
    ... This belongs to the multihomed server. ... AD registers certain records in DNS in the form of SRV records that signify AD's resource and service locations. ... When there are multiple NICs, ... there are some registry changes to eliminate the registration of the external NIC. ...
  • Re: RRAS - required as Internet Gateway
    ... My server is not a DC just a standalone server... ... Multihomed DCs, DNS, RRAS servers. ... When there are multiple NICs, ... there are some registry changes to eliminate the ...
  • Re: RPC is unavailable when try to transfer FSMO Roles
    ... prevent the public interface addresses from being registered in DNS. ... In the DNS management console, in the properties of the DNS server, ... Registry value: DnsAvoidRegisterRecords ... To stop registration of both NICs, add or alter this reg ...
  • Re: Is it safe to use a DHCP to assign the IP addresses to the servers
    ... Being a VPN Server and even simply running RRAS makes it multi-homed. ... Domain Controllers with the PDF Role are automatically Domain Master Browser. ... Multihomed DCs, DNS, RRAS servers. ... there are some registry changes to eliminate the registration of the external NIC. ...
  • Re: Multihomed DCs
    ... mean that the multihomed server is the member server. ... W2K3, with dual NICs that responds to domain traffic Vlan, ... It is hugely problematic due to the multiple interefaces and DNS ... there are some registry changes to eliminate the ...