DNS cache poisoning

[Tony Pizzi]

We are running a WIN2K server with DNS that was exploited
with DNS cache poisoning. It was trying to redirect our
email to another server. We found what appeared to be a
fix in the MS knowledgebase article 241352.
It described the fix as follows:

Windows 2000
A Windows 2000-based DNS server can filter out the
responses for these non-secure records.

To enable this feature:
Start Registry Editor (Regedt32.exe).
Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Pa
rameters

On the Edit menu, click Add Value, and then add the
following registry value:
Value Name: SecureResponses
Data Type: REG_DWORD
Value: 1 (To eliminate non-secure data)

Quit Registry Editor.
By default, this key does not exist and non-secure data is
not eliminated from responses.

NOTE: On Windows 2000, you can perform the same entry in
the GUI. Use the following steps to do this:


Open DNS Management Console by clicking Start, Programs,
Adminstrative Tools, DNS.
Right click on the server name in the left window pane.
Choose Properties.
Choose the Advanced tab.
Place a check in the box "Secure cache against pollution".

When we checked this on the server there was no value in
the registry, but when going through the gui the Secure
cache against pollution box was checked.
Should there also be a registry setting when this check
box is enabled?
Any ideas how this server could get exploited with this
setting enabled?

ANy assistance would be greatly appreciated.

 

[Steven L Umbach]

I checked my W2K dns server and it also has secure from cache poisoning
enabled and there is not entry in the registry. You might also want to post
in the win2000.dns newsgroup for advice. Keep in mind that your dns server
and dns clients cache dns responses for a period of time. You can manually
clear the dns cached zone on your server by right clicking cached lookups
and selecting clear cache. Cached lookup zone will not show until you select
view/advanced in the DNS Management Console. You have to use ipconfig
/flushdns to clear client resolver cache and the dns server has a client dns
cache also. If you are using root hints to resolve dns names on your dns
server you may want to try to forward to your ISP dns server and disable
recursion in the forwarders box to slave your dns server to the ISP dns
server. Of course if they are passing the bad info that will not help and
you may want to try root hints instead. Also check your dns zones to make
sure there are no bogus entries added. --- Steve

 

[Guest]

-----Original Message-----
I checked my W2K dns server and it also has secure from cache poisoning
enabled and there is not entry in the registry. You might also want to post
in the win2000.dns newsgroup for advice. Keep in mind that your dns server
and dns clients cache dns responses for a period of time. You can manually
clear the dns cached zone on your server by right clicking cached lookups
and selecting clear cache. Cached lookup zone will not show until you select
view/advanced in the DNS Management Console. You have to use ipconfig
/flushdns to clear client resolver cache and the dns server has a client dns
cache also. If you are using root hints to resolve dns names on your dns
server you may want to try to forward to your ISP dns server and disable
recursion in the forwarders box to slave your dns server to the ISP dns
server. Of course if they are passing the bad info that will not help and
you may want to try root hints instead. Also check your dns zones to make
sure there are no bogus entries added. --- Steve




Thanks for the suggestions Steve.

We did clear the cache, but it reappeared again after.