DNS Devolution update 97188

I have been tracking this  for a while and I think it is important enough to bring this to your attention as the update has now gone live June 9th  and may when applied have an impact in your environment.

The original issue was brought to our attention and publicised by ourselves in this security advisory https://www.microsoft.com/technet/security/advisory/945713.mspx?info=EXLINK . This highlighted the following risk.

Potential Risk

A malicious user could host a system with a single-label name outside of an organization's boundary and due to DNS devolution may successfully get a Windows DNS client to connect to it as though it were internal to the organizational boundary.

There is  now an update to the Microsoft Security Advisory 97188. If applied this will change the way clients resolve single-label and non-fully qualified queries via devolution. This affects the following Clients

Windows 2000,Windows XP,Windows 2003, Windows Vista, Windows 2008.

NOTE: In Windows 7 RTM and Windows 2008 R2 this is enabled  by default.

You can dowload it via this kbarticle https://support.microsoft.com/kb/957579

So what is DNS Devolution ?

Devolution allows clients in child namespaces within an Active Directory Environment to access resources in the parent namespace without the need to provide the fully qualified domain name of the resource. e.g. client.a.b.com

With devolution enabled, the resolver creates new FQDNs by appending the single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and will keep on going until the second-level domain name.

For example,

If an application specified the name mailserver13 and the primary DNS suffix is middle.toytown.com., the resolver will try the following to resolve the  following FQDNs 

  • mailserver13.middle.toytown.com
  • mailserver13.toytown.com.

The way that this devolution process functions enables devolution up to and including the 2nd level Domain.

The second level Domain in the Active Directory with the Forest Root Domain “Toytown.com”, “Toytown” is the defined boundary and is the 2nd level Domain Name.

However Dependant on how you have your environment configured your estate may be exempt from DNS Devolution. For Example the following situations means that devolution is not enabled in Active Directory domains.

· If a global suffix search list is configured via group policy.

· If the append parent suffixes of the primary DNS suffix check box is selected on the DNS tab in the Advanced TCP/IP Settings dialog box of the Internet Protocol (TCP/IP) component.

So you may be asking how does this affect me ?

· DNS queries for single label  and non-fully qualified names that used to work now will no longer work after the fix has been installed or and upgrade to the client  Windows 7

· There may be a disparity between certain OS versions working on some OS versions compared to later OS versions.

This is explained in great depth in the following KB Article https://support.microsoft.com/kb/957579