Home page logo

bugtraq logo Bugtraq mailing list archives

RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Tue, 17 Apr 2007 07:29:59 -0400

One question.  Is BIND any better at preventing this type of attack? 


*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)

-----Original Message-----
From: Makoto Shiotsuki [mailto:shio () st rim or jp] 
Sent: Monday, April 16, 2007 2:04 AM
To: bugtraq () securityfocus com
Subject: Windows DNS Cache Poisoning by Forwarder DNS Spoofing

         Windows DNS Cache Poisoning by Forwarder DNS Spoofing 


                  Makoto Shiotsuki <shio () st rim or jp>


About two years ago, SANS Handler's Diary reported that Windows DNS
server is vulnerable to the cache poisoning attack despite "Secure cache
against pollution" setting if it is configured to forward requests to
the forwarder DNS server [1][2].

According to the Handler's Diary, this poisoning attack against Windows
DNS would be successful in the case when the forwarder DNS server itself
is vulnerable to the poisoning attack or the forwarder DNS server does
not filter out the bogus records in the poisoning attack. So, it is
believed that using Bind9 as forwarder is safe to protect Windows DNS
server from cache poisoning attack through forwarder.

But there seems to be other possible scenario, and in this case, the
possibility of successful attack does not depend on the type or version
of the forwarder DNS server. Therefore, the risk of the Windows DNS
cache poisoning attack is higher than generally perceived.

As far as I tried, DNS service of the Windows Server 2003 SP2 still has
this vulnerability.


As described above, Windows DNS is vulnerable to the cache poisoning
attack through the forwarder DNS server. This seems because Windows DNS
blindly trusts replies from forwarder DNS and caches every resource
records regardless of their domain.

Windows DNS also has characteristic that it is vulnerable to the DNS
spoofing attack using "birthday attack" [3]. By sending multiple
simultaneous queries and forged replies to the Windows DNS server,
attacker can inject a spoofed reply relatively easily if its arrival is
earlier than the reply from the legitimate DNS server.

Both of these are known vulnerabilities (or characteristics? ;) on
Windows DNS, and each of them individually is not high risk because they
require some preconditions to be successfully exploited. However, by
executing the cache poisoning attack in conjunction with DNS spoofing,
it will be more effective attack and the risk will be higher than

Following is the scenario.

  +-----------+           (1)Query           +-----------+
  |           |  ------------------------->  |           |
  |           |  ------------------------->  |           |
  | Attacker  |  ------------------------->  |  Windows  |
  |           |                              |    DNS    |
  |           |  ------------------------->  |           |
  |           |  ------------------------->  | (Victim)  |(6)Poisoned!!
  |           |  ------------------------->  |           |
  +-----------+     (5)Answer(poisoning)     +-----------+
                                                  ||| (2)Query 
  +-----------+           (3)Query           +-----------+
  |           |  <-------------------------  |           |
  |           |  <-------------------------  |           |
  | Attacker  |  <-------------------------  | Forwarder |
  |    DNS    |                              |    DNS    |
  |           |                              |           |
  |           |  (4) no reply                |           |
  |           |                              |           |
  +-----------+                              +-----------+

  1) Attacker sends multiple simultaneous recursive queries (e.g. 500
     queries) to the Windows DNS server, resolving the name in
     attacker's domain.
  2) Windows DNS forwards those queries to the Forwarder DNS server.
  3) Forwarder DNS sends queries to the Attacker DNS server to resolve
     the name.
  4) Attacker DNS does not reply at all and Forwarder DNS waits for
  5) Attacker sends multiple simultaneous replies (e.g. 500 replies)
     spoofing Forwarder DNS ip address with random query id. Each reply
     includes forged resource records to poison the Windows DNS cache.
  6) Windows DNS accepts certain spoofed reply if its query id matches
     one of the queries from the Windows DNS and finally Windows DNS
     cache is poisoned.

To accomplish this attack, the attacker must know the udp port number of
the Windows DNS server. The attacker can know it simply by sending a
query packet to the Windows DNS server resolving some names in
attacker's domain, because, by default, Windows DNS issues recursive
query by itself if the forwarder does not respond. (This behavior can be
changed using the DNS property window by setting "Do not use recursion
for this domain" check box ON.)

Windows DNS uses same source port number unless the service restarts.
Thus the attacker can use this port number for the attacking reply
packets as udp destination port.

Affected products

Windows Server 2003 (up to and including SP2) Windows 2000 Server (up to
and including SP4)

Vendor status

According to Microsoft response I've got through IPA/ISEC, this kind of
poisoning attack is caused by design of the Windows DNS service, and
they are considering the design change at service pack level.


Stop using forwarder.

Mitigating factors

Reject recursive queries to the Windows DNS server from outside of the
site. This will help to prevent direct attacks from the Internet.


[1] http://isc.sans.org/presentations/dnspoisoning.html
[2] http://isc.sans.org/diary.php?date=2005-04-07
[3] http://www.lurhq.com/cachepoisoning.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]