View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>Cache Corruption on Microsoft DNS Servers</h2>

Release Date: August 31, 2001<br/>
<a name="affected">
<h3>Systems Affected</h3>
<ul>
<li>Microsoft Windows NT 4.0 and Windows 2000 systems running
Microsoft DNS Server</li>
</ul>
<a name="overview">
<h2>I. Overview</h2>
<p>The CERT/CC has received reports from sites experiencing cache
corruption on systems running Microsoft DNS Server.  
The default configuration of this software allows data from malicious or
incorrectly configured servers to be cached in the DNS server.  
This corruption can result in erronous DNS information later being
returned to any clients which use this server.

<h2>II. Description</h2>
<p>In the default configuration, Microsoft DNS server will accept
bogus glue records from non-delegated servers. 

These bogus records will be added to the cache when a client attempts to resolve a
particular hostname served by a malicious or incorrectly configured
DNS server.  

The client can be coerced to request such a hostname as a
result of an otherwise non-malicious piece of HTML email (such as
spam) or in banner advertisements on websites, to give some examples.

<p>Based on information contained in reports of this activity, there
are sites actively engaged in this deceptive DNS resolution.  These
reports indicate that malicious DNS servers are providing bogus glue
records for the generic top-level domain servers (gtld-servers.net)
potentially resulting in erroneous results (e.g., failed resolution or
redirection) for any DNS request.

<p>More information about the problem can be found at
<p>
VU#109475 - Microsoft Windows NT and 2000 Domain Name Servers allow non-authoritative RRs to be cached by default<br/>
<a href="http://www.kb.cert.org/vuls/id/109475">http://www.kb.cert.org/vuls/id/109475</a>
<p>
Secure server cache against names pollution<br/>
<a href="http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_pro_SecureCachePollutedNames.htm">http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_pro_SecureCachePollutedNames.htm</a>
<p>
How to Prevent DNS Cache Pollution (Q241352)<br/>
<a href="http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP">http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP</a><br/>
<a href="http://msdn.microsoft.com/library/en-us/regentry/46753.asp">http://msdn.microsoft.com/library/en-us/regentry/46753.asp</a>
<h2>III. Impact</h2>
<p>Clients resolving hostnames against the corrupted cache can be
unknowingly redirected to illegitimate sites.  Additionally,
applications that rely on DNS information for authentication or access
control can potentially be manipulated by erroneous information stored
in the cache.

<h2>IV. Solutions</h2>
<p>Apply the workarounds supplied by Microsoft at
<dl><dd>
<a href="http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP">http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP</a>
</dd></dl>
<p>
<h2>V. References</h2>
<p>Internet Engineering Task Force (IETF) Request for Comments (RFCs):
<dl><dd>
<a href="http://www.ietf.org/rfc/rfc1034">IETF RFC 1034</a>: DOMAIN NAMES - CONCEPTS AND FACILITIES<dd>
<a href="http://www.ietf.org/rfc/rfc1035">IETF RFC 1035</a>: DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION<dd>
<a href="http://www.ietf.org/rfc/rfc1912">IETF RFC 1912</a>: Common DNS Operational and Configuration Errors<dd>
<a href="http://www.ietf.org/rfc/rfc2181">IETF RFC 2181</a>: Clarifications to the DNS Specification<dd>
</dd></dd></dd></dd></dd></dl>
<h2>VI. Reporting</h2>
<p>The CERT/CC is interested in receiving reports of this activity.
If machines under your administrative control are compromised, please
send mail to <a href="mailto:cert@cert.org?Subject=[CERT%2329164]">cert@cert.org</a>
with the following text included in the subject line:
"[CERT#29164]".</p>
<p>
<hr noshade="" width="100%"/>
<b>Author(s)</b>: <a href="mailto:cert@cert.org?subject=IN-2001-11%20Feedback">Chad Dougherty, Roman Danyliw</a>
</p>
<hr noshade="" width="100%"/>
<h2>CERT/CC Contact Information</h2>
<dl>
<b>Email:</b> <a href="mailto:cert@cert.org">cert@cert.org</a><br/>
<b>Phone:</b> +1 412-268-7090 (24-hour hotline)<br/>
<b>Fax:</b> +1 412-268-6989<br/>
<b>Postal address:</b><br/>
<dd>
CERT Coordination Center<br/>
Software Engineering Institute<br/>
Carnegie Mellon University<br/>
Pittsburgh PA 15213-3890<br/>
U.S.A.<br/>
</dd></dl>

CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
<p>
<h4>Using encryption</h4>
<p>We strongly urge you to encrypt sensitive information sent by
email.  Our public PGP key is available from<p>
<ul>
<a href="http://www.cert.org/CERT_PGP.key">http://www.cert.org/CERT_PGP.key</a>
</ul>

If you prefer to use DES, please call the CERT hotline for more
information.<p>
<h4>Getting security information</h4>

CERT publications and other security information are available from
our web site<p>
<ul>
<a href="http://www.cert.org/">http://www.cert.org/</a>
</ul>

To subscribe to the CERT mailing list for advisories and bulletins, send email to
<a href="mailto:majordomo@cert.org">majordomo@cert.org</a>. Please include in the body of your
message<br/>
<p><tt>subscribe cert-advisory</tt>
<p>

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.<p>
<hr noshade="" width="100%"/>
<b><u>NO WARRANTY</u></b><br/>
<b>Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.</b>
<hr/>
<a href="http://www.cert.org/legal_stuff.html">Conditions for use, disclaimers, and sponsorship information</a><p>
<p>Copyright 2001 Carnegie Mellon University.</p>
<p>Revision History
<pre>
August 31, 2001: Initial Release
</pre>
<!-- This completes the table started in *_titlebar.html -->



<!--#include virtual="/cert/include/footer.html"--></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></a></a>