Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS cache poisoning?

From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Tue, 16 Aug 2005 20:58:04 -0700
While Windows NT should be killed off....the reality is in my community where the use of DNS forwarders is common..we were at risk from ISPs who had yet to upgrade to BIND 9.
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis: 
http://isc.sans.org/diary.php?date=2005-04-07


   DNS cache poisoning update
We have received more technical details on the software configurations that are vulnerable. Thanks to Microsoft for clarifying details on Windows DNS and thanks to numerous others for reporting. We try to get all the technical details right before publishing information on attacks like this, but if we waited until we were 100% sure all the time, we would never be able to notify the community when the attacks are actually happening.
On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist. Microsoft has now corrected the KB article that we published earlier with this information.
http://support.microsoft.com/default.aspx?scid=kb;en-us;241352 http://support.microsoft.com/kb/316786 On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console. On Windows 2000 SP3 and above (and Windows 2003), the secure setting is the default (even if the registry key does not exist).
Our recommendation is to only set the registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters) on Windows NT4. Otherwise, use the DNS Management Console. If you are on Windows 2000 and you created the key already, you are safe to leave it in place as long as the value is "1".
There seems to be other possible scenarios where cache poisoning can occur. When forwarding to another server, Windows DNS servers expects the upstream DNS server to scrub out cache poisoning attacks. The Windows DNS server accepts all data that it receives, regardless of the setting for protecting against cache poisoning. So vulnerability of the attack depends upon whether the upstream DNS server is filtering out the attack.
We are currently trying to determine the behavior of DJBDNS, and BIND versions 4, 8, and 9 when acting as a forwarder. We are asking for assistance from the community to determine their behavior so write us if you have details. It appears that BIND4 and BIND8 do not scrub the data, whereas BIND9 does. See the following scenarios:
Windows DNS --> forwarding to BIND4 or BIND8. Windows DNS server assumes that BIND scrubs out the poisoning attempt. BIND4 and BIND8 do NOT appear to scrub the attack. Windows DNS trusts the data and the Windows DNS cache will become poisoned.
Windows DNS --> forwarding to BIND9. This configuration seems to be secure because BIND9 scrubs the poisoning attempt.
Windows DNS (slave) --> forwarding to Windows DNS (master). In this scenario, your vulnerability is based on the vulnerability of the master. If the master is vulnerable, then it will be poisoned and forward the attack to the slave server, which will also be poisoned. However, if the master is secure then both servers should be safe.
The following recommendations are based on the current assumption that BIND4 and BIND8 forwarders will not filter the cache poisoning attack to its downstream clients. If we find out that this is not the case, then the recommendations may not be valid. If you have Windows DNS servers forwarding to BIND4 or BIND8, you should start investigating an upgrade of those BIND servers to BIND9. If upgrading to BIND9 would not be a possibility, a secondary recommendation would be to turn off the forwarding on Windows DNS and allow the server to contact the Internet directly so that it can apply the proper protection against cache poisoning. If you run an ISP and have clients that are using your DNS servers as forwarders, you may want to consider upgrading your resolvers to BIND9 in order to protect your clients.
Alternatively, if you have Windows DNS servers that are functioning as forwarders then you should verify that those machines are protected, which should protect the rest of the DNS servers behind it. 



Willard Van Dyne wrote:


At 12:27 AM 8/17/2005, you wrote:


Why are you using NT4?

..back to lurking...
Believe me, sir, that's what I asked the company when I got on the project. I could list all the answers I got, but they belong on some other mailing list (the one for management, I think). :-) If it were up to me, I'd purge all presence of Windows from the workplace (apologies to MS users), but that's just not possible yet.
We have replaced the DNS machine with a Red Hat box, which works well, but we still have to *accurately* document the issue, in case we or an allied company have to deal with another, similar incident. 
Every lead that could help us is appreciated. :-)
Previous By Date Next
Previous By Thread Next

Current thread: