Securing against DNS cache poisoning with AD integrated DNS

G

Guest

Hi,
The following KB article suggests adding a new parameter to the registry
to stop DNS cache poisoning under win2000.
http://support.microsoft.com/default.aspx?scid=kb;en-us;241352

The DNS server I plan to do this with is the primary DNS server for our
forest and
is Active Directory integrated. Will there be any Active Directory
problems/changes caused by making this change?

Cheers,
Geoff.
 
G

Guest

Hi,
Me again... :)

The KB article also says you can change this using the GUI.
But what is the protection status if the item is checked in the
GUI, but the registry entry is still not present? Is the server
protected or not?

Cheers,
Geoff.
 
G

Guest

Hi,
Well, fortunately the guys at SANS were able to sort this out for us:
http://isc.sans.org/diary.php?date=2005-04-07
Seems that on Win2000 with SP3 or higher you're safe unless you
are forwarding to an upstrean DNS server that is a windows DNS
server, or a BIND4 or BIND8 server. If the upstream DNS server is
BIND4 or BIND8, use a differnt server that is BIND9. If it is Windows,
ask to make sure it is procected.

If the upstream DNS is not protected and you forward to it, your
windows DNS server will swallow the poisoned records, whether it is
protected or not. Yikes!

Cheers,
Geoff.
 
K

Kenneth Porter

Well, fortunately the guys at SANS were able to sort this out for us:
http://isc.sans.org/diary.php?date=2005-04-07
Seems that on Win2000 with SP3 or higher you're safe unless you
are forwarding to an upstrean DNS server that is a windows DNS
server, or a BIND4 or BIND8 server. If the upstream DNS server is
BIND4 or BIND8, use a differnt server that is BIND9. If it is Windows,
ask to make sure it is procected.

If the upstream DNS is not protected and you forward to it, your
windows DNS server will swallow the poisoned records, whether it is
protected or not. Yikes!
Click to expand...

The easy workaround is not to forward. Just set up root hints, and then
you'll only query authoritative servers.

BTW, is this what shot down all the Comcast DNS servers yesterday? I'm
using my own root hints setup on BIND9 so I was unaffected but there was
a lot of traffic on the Comcast forums last night from people barely
able to do anything due to downed DNS servers.

Hmm, is the client cache in 2k/XP Workstation subject to this same
cascade failure? That would cause problems if Workstation talked
directly to an ISP BIND8 system.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD Integrated DNS, Capitalization of FQDN problem 2
DNS Cache poisoning and Registry settings 1
DNS upgrade to AD integrated zones 3
Architecture question - Migrating primary DNS to AD Integrated DNS 1
Win 2000 AD integrated DNS on second DNS server problem 1
Two questions on DNS, AD integrated 1
Win 2000 AD integrated DNS on new DC problem 3
DNS cache poisoning 2

Top