Guest msb-2007@nospam.nospam Posted August 1, 2007 Posted August 1, 2007 Two clarifying questions regarding The DNS Client Buffer Overrun Vulnerability (CVE-2006-3441) referenced in MS06-041 1) is the DNS server (ie: on Win2000, Win2K) vulnerable in any way if a client attempts to query an "evil" dns record from an "evil" dns server, or is this just a dns client resolver issue? 2) if the client passes its DNS query requst to a "good" upstream DNS server (Windows or otherwise), will that server "pass thru" any potential attack payload, or can the vulnerability only occur if the client is directly resolving to a "evil" dns server? thanks! -Matt Quote
Guest Roger Abell [MVP] Posted August 2, 2007 Posted August 2, 2007 "msb-2007@nospam.nospam" <msb2007nospamnospam@discussions.microsoft.com> wrote in message news:D407C9EB-DF30-4269-8773-8BE915935341@microsoft.com... > Two clarifying questions regarding The DNS Client Buffer Overrun > Vulnerability (CVE-2006-3441) referenced in MS06-041 > 1) is the DNS server (ie: on Win2000, Win2K) vulnerable in any way if a > client attempts to query an "evil" dns record from an "evil" dns server, > or > is this just a dns client resolver issue? This was a flaw in the DNS client service. If a DNS server is configured to accept recursive query requests, so it would contact the upstream DNS servers, i.e. your "evil" one, the DNS server service does this (that is, it does not use the DNS client service to do this). > 2) if the client passes its DNS query requst to a "good" upstream DNS > server > (Windows or otherwise), will that server "pass thru" any potential attack > payload, or can the vulnerability only occur if the client is directly > resolving to a "evil" dns server? > I believe your question is answered in the bulletin. See FAQ section of http://www.microsoft.com/technet/security/bulletin/ms06-041.mspx <quote> Would disabling the DNS client service or configuring the client to use a specific DNS server mitigate the vulnerability? No. The vulnerability cannot be mitigated by disabling the DNS client service or configuring the use of a specific trusted DNS server. </quote> Note that a DNS Sever can be configured to provide either recursive or iterative query resolution services, and that when the dnscache client service is disabled Windows falls back to use of the older DNS client. If a DNS Sever knows the answer it replies, else it works the query. If a DNS Server is not accepting recursive queries it returns to the client not an answer to the query but a referral telling the client what DNS server it should contact (i.e. tells your client to go talk to the evil DNS server) but if it does accept recursive query requests then when it finally receives the answer from another DNS server that answer is passed back to the client. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.