In the wake of stepped up DNS cache poisoning attacks, the SANS Internet Storm Center (ISC) stepped up its INFOCon status to “yellow” and Microsoft has posted updated information for Windows DNS users.
Last week, the ISC warned ISPs and DNS server maintainers that ongoing DNS cache poisoning attempts (referred to as “pharming” attacks (define)) had elevated the overall level of risk for Internet users.
Pharming attacks are particularly problematic because they don’t involve the traditional trickery of a phishing attack (define), with its obfuscated URLs and misdirection.
According to the update issued by SANS today, Microsoft has contacted it and offered clarified information meant to help Windows admins secure their DNS servers.
According to Microsoft, a DNS server operating on Windows 2000 SP3 and above is already configured to protect against DNS cache poisoning. Versions of Windows 2000 prior to SP3 and Windows NT4 must have specific registry keys set to ward off the attack. The company also posted an update to the pages it publishes regarding the prevention of DNS cache pollution.
Microsoft says that reported problems with its DNS servers providing poisoned cache data are due to assumptions the software makes about information it’s forwarding from other DNS servers. Specifically, Microsoft’s DNS software assumes data it’s forwarding from a parent server has been scrubbed of illicit information and performs no further filtering. In the case of the popular BIND DNS server, that’s only true in some cases. According to the ISC update:
“If you have Windows DNS servers forwarding to BIND4 or BIND8, you should start investigating an upgrade of those BIND servers to BIND9. If upgrading to BIND9 would not be a possibility, a secondary recommendation would be to turn off the forwarding on Windows DNS and allow the server to contact the Internet directly so that it can apply the proper protection against cache poisoning.”
The ISC reports that it’s working with developers for both BIND and DJBDNS, another popular DNS server, to further isolate the problem.
Update: Since this report was filed, the SANS ISC has updated its INFOCon status to “green” to reflect that even though DNS cache poisoning remains a problem, “we now understand the issues and have clear things people should do to protect themselves.”