Is Your DNS Secure? Have you checked it lately?

The DNS issue in the article below affects Windows Server 2003 (standard, enterprise and datacenter editions), Windows 2000 Server (also the advanced and datacenter versions) and Windows NT Server 4.0 standard edition, Microsoft said in its advisory. Servers with Service Pack 3 installed, or that run software sold after the update was released, are already protected from DNS cache pollution by default. Otherwise, the needed settings must be turned on using the products' DNS Management Console.

DNS cache poisoning occurs when an attacker hacks into a domain name server, then "poisons" the cache by planting counterfeit data in the cache of the name server. When a user requests, say,, and the IP address is resolved by the hacked domain server, the bogus data is fed back to the browser. Another tactic, dubbed "DNS hijacking," is similar, but simply changes the domain server so that traffic is actually re-routed. Full article <>

The DNS cache poisoning that first struck more than a month ago and led to users being redirected from popular Web sites to malicious sites that infected their machines with spyware, is continuing, said the Internet Storm Center (ISC) Wednesday. The attacks are taking advantage of vulnerabilities and design flaws in Microsoft server software.

To highlight the danger, the ISC raised its Homeland Security-esque alert color code from Green to Yellow.

To set the DNS cache poisoning threat in perspective, Yellow is the same alert color code that ISC used during the SQL Slammer, MSBlast, and Sasser worm outbreaks, three of the nastiest in the last two years.

The newest attack, said Kyle Haugsness, one of the ISC analysts, is actually the third since March 4. Like the initial attack, the motivation is certainly money, since the result is again the installation of mass quantities of spyware on victims' PCs.

Initially, Haugsness and the other ISC analysts thought that a DNS cache poisoning attack was beyond the skills of most spammers -- and so might be proof that the original attackers were contracting their services, but now he said "they might be completely unrelated. In fact, one of the things we discovered after looking into these attacks is just how easy they are to carry off."

Among the domains included in one of the poisoned DNS servers during the first attack were major sites such as,,, and "

Although there's essentially nothing an end-user can do to protect him- or herself -- other than to regularly sweep the system for spyware and/or have real-time anti-spyware defenses up and running -- DNS server administrators, particularly those in enterprises, should scramble.

Windows-based DNS servers are particularly vulnerable, since Windows NT Server 4.0 and Windows 2000 Server prior to SP3 are insecure against DNS cache poisoning attacks. Windows 2000 Server SP3 and later, as well as Windows Server 2003, are configured securely by default. (For more information, see this Microsoft Knowledgebase article.)

Other users that are vulnerable are those running various Symantec gateway security products who haven't patched bugs the Cupertino, Calif.-based vendor released in mid-March. Full article <>

See also Developing a DNS Security Policy; Windows Server 2003 Deployment Kit
If your DNS data is compromised, attackers can gain information about your network that can be used to compromise other services. For example, attackers can harm your organization in the following ways:

DNS Server Top Support Articles - Microsoft Service Providers
A well-developed DNS server and Active Directory infrastructure is vital to your network. These articles help you plan, deploy, and troubleshoot DNS and Active Directory implementations.

Jeff's blog post here for important context and advice - do you know the health of the entire chain?

More KBs here and here, and search results page here. Webcasts:

TechNet Webcast: Windows Server 2003 Administration Series (Part 8 of 12): Domain Name System (DNS) (Level 200)

TechNet Webcast: Security Risk Management (Level 200)

Comments (0)

Skip to main content