Microsoft DNS resolver may accept responses from non-queried hosts

win2k-dns-resolver (4280) The risk level is classified as MediumMedium Risk

Description:

Windows 2000 includes a DNS (Domain Name System) resolver service, which is the local agent for querying domain name information. For performance reasons, in the default configuration the DNS resolver accepts responses from hosts that it did not query. This can be a security risk, as false DNS information can be provided by malicious users to cause operation disruption.

Platforms Affected:

  • Microsoft, Windows 2000
  • Microsoft, Windows 2003 Server

Remedy:

Restrict the DNS caching resolver service to accept responses only from queried hosts.

CAUTION: Use Registry Editor at your own risk. Any change made with Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

To restrict the DNS caching resolver service:

  1. Using Regedit, find the \\HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters registry key.
  2. Find the registry entry name QueryIpMatching. The default value is 0x0 (accept response from all hosts).
  3. Set the value to 0x1 (only accept responses from queried hosts).

Consequences:

Data Manipulation

References:

  • Microsoft TechNet, Microsoft Windows 2000 TCP/IP Implementation Details at http://www.microsoft.com/TechNet/network/tcpip2k.asp.
  • CVE-2000-1218: The default configuration for the domain name resolver for Microsoft Windows 98, NT 4.0, 2000, and XP sets the QueryIpMatching parameter to 0, which causes Windows to accept DNS updates from hosts that it did not query, which allows remote attackers to poison the DNS cache.
  • US-CERT VU#458659: Microsoft Windows domain name resolver service accepts responses from non-queried DNS servers by default

Reported:

Apr 14, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page