This post explains how to disable recursion entirely, but not explicitly for DNAME records. The relevant information from the post is pasted below. If you want to disable recursion on the server, us the '1' value.
dnscmd <ServerName> /Config /NoRecursion {1|0}
I was originally fearful that Windows Server 2003 would be vulnerable with no patch available, but it does not appear that 2003 supports DNAME records. In fact, this KB corrects errors with DNAME processing without really adding support. I haven't looked at the code for dns.exe, but I think we're safe there.So back to the vulnerable servers. Where do the code changes lie? Well, running the application through bindiff, we see very few changed functions.
The changed functions certainly seem to imply that DNAME records are to blame.
 |
| Answer_PerformDNAMESubstitution function changes |
 |
| processCacheUpdateQueryResponse changes |
 |
| processRootNsQueryResponse |
 |
| Gnz_ProcessCacheUpdateQueryResponse |
I know there are a lot of people working feverishly to get a consistent exploit trigger in DNS.exe. This of course is the first step in getting a working exploit. I know that Greg Linares has a crash in dns.exe as well, though I don't know that it is reliable or the conditions around it.
I usually have some recommendations in my posts, so I'll try to part with a few here. If you aren't using recursion on your DNS servers, turn it off. Of course, patch. For future architecture decisions, I think this shows why we should not put DNS and AD on the same server. A bug in DNS can lead to complete compromise of your DC. As for detection, I need to look in some of my network logs to understand how common DNAME record responses are. I don't think they are common, and if so, they may offer a detection method. I would also suggest limiting outbound communications from your DNS/AD/*any* server - that way even if you are exploited you make the bad guy's job that much harder.
This comment has been removed by a blog administrator.
ReplyDelete