I never posted a follow-up to this to NTBugTraq because I believed it had been
rejected from the list.
I have resolved my issue and I can now state the following unequivocally:
* Windows 2000 SP3 and SP4 have the "secure cache from pollution"
option enabled by default (see MS KB 316786), but are still
vulnerable to poisoning in the scenario described below.
* Users who have their Windows DNS servers configured to forward
are vulnerable to poisoning because MS DNS servers ignore the
"secure cache from pollution" setting when they forward.
* BIND 4 and BIND 8 are immune to poisoning, but neglect to
"scrub" poisoned results from responses they send to servers
that forward to them.
In other words, if your Windows server forwards to a BIND 8 server, you might
get poisoned records from the BIND 8 server, and Windows DNS will trust those
results, regardless of whether you've implemented the registry setting
recommended in MS KB 241352, or are running Win2k SP3+ or Windows 2003 (any
version).
My problem was caused by this exact scenario. My DNS servers were configured
to forward to my ISP's DNS servers. My ISP (AT&T) uses BIND 8. When I
contacted them about this, they were unsympathetic and would only recommend
that I cease forwarding to them. I have ceased forwarding to AT&T, and as far
as I can tell, I'm now immune to the problem.
For more info, see Kyle Haugsness's excellent writeup at the Internet Storm
Center.
http://isc.sans.org/diary.php?date=2005-04-07
Also, see Kyle's initial report describing the problem (before the root cause
was discovered):
http://isc.sans.org/presentations/dnspoisoning.php
Many thanks to the ISC team for thoroughly investigating this issue and
delivering a resolution when the rest of the computer security community
ignored it.
-----Original Message-----
From: Paul A. Wylie
Sent: Friday, April 01, 2005 10:33 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: DNS cache poisoning attack
Yesterday, I discovered that my clients were being redirected from some of
their normally-visited sites to a malware server that purports to be in Laos
(in the domain web-search.la). My DNS servers are running on Win2k Server with
full patches (according to HFNETCHK). At the time, they were not configured as
recommended in MS KB article 241352. I reconfigured the servers, restarted the
DNS services and did not see any further DNS poisoning yesterday, so I assumed
I had bitten by a problem of my own making.
Today, however, I've discovered that the DNS cache poisoning continues, and a
quick search for the domain web-search.la through Google reveals that the
Internet Storm Center at SANS has been tracking this problem and recommends
blocking all traffic to 216.127.88.131 and 218.38.13.108.
You can read more at:
http://isc.sans.org/diary.php?date=2005-03-30
http://isc.sans.org/diary.php?date=2005-03-31
Paul Wylie
Network Systems Manager
The Hunt Corporation
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an
Anti-Virus product which automatically notifies the perceived sender of a
message it believes is infected may well cause more harm than good. Someone who
did not actually send you a virus may receive the notification and scramble
their support staff to find an infection which never existed in the first
place. Suggest such notifications be disabled by whomever is responsible for
your AV, or at least that the idea is considered.
--
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an
Anti-Virus product which automatically notifies the perceived sender of a
message it believes is infected may well cause more harm than good. Someone who
did not actually send you a virus may receive the notification and scramble
their support staff to find an infection which never existed in the first
place. Suggest such notifications be disabled by whomever is responsible for
your AV, or at least that the idea is considered.
--
