Securing against DNS cache poisoning with AD integrated DNS

[Guest]

Hi,
The following KB article suggests adding a new parameter to the registry
to stop DNS cache poisoning under win2000.
http://support.microsoft.com/default.aspx?scid=kb;en-us;241352

The DNS server I plan to do this with is the primary DNS server for our
forest and
is Active Directory integrated. Will there be any Active Directory
problems/changes caused by making this change?

Cheers,
Geoff.

 

[Guest]

Hi,
Me again...

The KB article also says you can change this using the GUI.
But what is the protection status if the item is checked in the
GUI, but the registry entry is still not present? Is the server
protected or not?

Cheers,
Geoff.

 

[Guest]

Hi,
Well, fortunately the guys at SANS were able to sort this out for us:
http://isc.sans.org/diary.php?date=2005-04-07
Seems that on Win2000 with SP3 or higher you're safe unless you
are forwarding to an upstrean DNS server that is a windows DNS
server, or a BIND4 or BIND8 server. If the upstream DNS server is
BIND4 or BIND8, use a differnt server that is BIND9. If it is Windows,
ask to make sure it is procected.

If the upstream DNS is not protected and you forward to it, your
windows DNS server will swallow the poisoned records, whether it is
protected or not. Yikes!

Cheers,
Geoff.

 

[Kenneth Porter]

Well, fortunately the guys at SANS were able to sort this out for us:
http://isc.sans.org/diary.php?date=2005-04-07
Seems that on Win2000 with SP3 or higher you're safe unless you
are forwarding to an upstrean DNS server that is a windows DNS
server, or a BIND4 or BIND8 server. If the upstream DNS server is
BIND4 or BIND8, use a differnt server that is BIND9. If it is Windows,
ask to make sure it is procected.

If the upstream DNS is not protected and you forward to it, your
windows DNS server will swallow the poisoned records, whether it is
protected or not. Yikes!

The easy workaround is not to forward. Just set up root hints, and then
you'll only query authoritative servers.

BTW, is this what shot down all the Comcast DNS servers yesterday? I'm
using my own root hints setup on BIND9 so I was unaffected but there was
a lot of traffic on the Comcast forums last night from people barely
able to do anything due to downed DNS servers.

Hmm, is the client cache in 2k/XP Workstation subject to this same
cascade failure? That would cause problems if Workstation talked
directly to an ISP BIND8 system.