About two years ago, SANS Handler's Diary reported that Windows DNS server is vulnerable to the cache poisoning attack despite "Secure cache against pollution" setting if it is configured to forward requests to the forwarder DNS server [1][2]. ------------------------------------------------------------------------ Windows DNS Cache Poisoning by Forwarder DNS Spoofing 2007.4.16 Makoto Shiotsuki < shio@st.rim.or.jpThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it > Introduction ============ According to the Handler's Diary, this poisoning attack against Windows DNS would be successful in the case when the forwarder DNS server itself is vulnerable to the poisoning attack or the forwarder DNS server does not filter out the bogus records in the poisoning attack. So, it is believed that using Bind9 as forwarder is safe to protect Windows DNS server from cache poisoning attack through forwarder. But there seems to be other possible scenario, and in this case, the possibility of successful attack does not depend on the type or version of the forwarder DNS server. Therefore, the risk of the Windows DNS cache poisoning attack is higher than generally perceived. As far as I tried, DNS service of the Windows Server 2003 SP2 still has this vulnerability. Details ======= As described above, Windows DNS is vulnerable to the cache poisoning attack through the forwarder DNS server. This seems because Windows DNS blindly trusts replies from forwarder DNS and caches every resource records regardless of their domain. Windows DNS also has characteristic that it is vulnerable to the DNS spoofing attack using "birthday attack" [3]. By sending multiple simultaneous queries and forged replies to the Windows DNS server, attacker can inject a spoofed reply relatively easily if its arrival is earlier than the reply from the legitimate DNS server. Both of these are known vulnerabilities (or characteristics? on Windows DNS, and each of them individually is not high risk because they require some preconditions to be successfully exploited. However, by executing the cache poisoning attack in conjunction with DNS spoofing, it will be more effective attack and the risk will be higher than before. Following is the scenario. +-----------+ (1)Query +-----------+ | | -------------------------> | | | | -------------------------> | | | Attacker | -------------------------> | Windows | | | | DNS | | | -------------------------> | | | | -------------------------> | (Victim) |(6)Poisoned!! | | -------------------------> | | +-----------+ (5)Answer(poisoning) +-----------+ ||| ||| (2)Query ||| vvv +-----------+ (3)Query +-----------+ | | <------------------------- | | | | <------------------------- | | | Attacker | <------------------------- | Forwarder | | DNS | | DNS | | | | | | | (4) no reply | | | | | | +-----------+ +-----------+ 1) Attacker sends multiple simultaneous recursive queries (e.g. 500 queries) to the Windows DNS server, resolving the name in attacker's domain. 2) Windows DNS forwards those queries to the Forwarder DNS server. 3) Forwarder DNS sends queries to the Attacker DNS server to resolve the name. 4) Attacker DNS does not reply at all and Forwarder DNS waits for timeout. 5) Attacker sends multiple simultaneous replies (e.g. 500 replies) spoofing Forwarder DNS ip address with random query id. Each reply includes forged resource records to poison the Windows DNS cache. 6) Windows DNS accepts certain spoofed reply if its query id matches one of the queries from the Windows DNS and finally Windows DNS cache is poisoned. To accomplish this attack, the attacker must know the udp port number of the Windows DNS server. The attacker can know it simply by sending a query packet to the Windows DNS server resolving some names in attacker's domain, because, by default, Windows DNS issues recursive query by itself if the forwarder does not respond. (This behavior can be changed using the DNS property window by setting "Do not use recursion for this domain" check box ON.) Windows DNS uses same source port number unless the service restarts. Thus the attacker can use this port number for the attacking reply packets as udp destination port. Affected products ================= Windows Server 2003 (up to and including SP2) Windows 2000 Server (up to and including SP4) Vendor status ============= According to Microsoft response I've got through IPA/ISEC, this kind of poisoning attack is caused by design of the Windows DNS service, and they are considering the design change at service pack level. Solutions ========= Stop using forwarder. Mitigating factors ================== Reject recursive queries to the Windows DNS server from outside of the site. This will help to prevent direct attacks from the Internet. References ========== [1] _http://isc.sans.org/presentations/dnspoisoning.html [2] _http://isc.sans.org/diary.php?date=2005-04-07 [3] _http://www.lurhq.com/cachepoisoning.html (с) governmentsecurity.org