DNS Cache Poisoning Attacks Microsoft Servers

by CXOtoday Staff    Apr 07, 2005

The DNS cache poisoning that had surfaced more than a month ago and which led users to be redirected from popular websites to malicious sites, infecting their machines with spyware, is continuing, according to the Internet Storm Center (ISC), which posted an alert on its website.

DNS cache pollution can occur if Domain Name System (DNS) “spoofing” has been encountered. The term “spoofing” describes the sending of non-secure data in response to a DNS query. It can be used to redirect queries to a rogue DNS server and can be malicious in nature

Apparently, the attacks are taking advantage of vulnerabilities and design flaws in Microsoft server software. Microsoft has posted an update on this.

According to Microsoft, if a DNS server has been configured to forward resolution requests to another server, establishing a child-parent relationship, the child DNS server could still be vulnerable to DNS cache pollution attacks performed against a parent DNS server if that server is not performing DNS cache pollution protection.

By default, Microsoft DNS servers, using Windows 2000 Service Pack 3 or later, acting as a parent in a child-parent relationship will fully perform cache pollution protection. Therefore, according to Microsoft all DNS servers in an organization have DNS cache pollution protection enabled.

Windows-based DNS servers are particularly vulnerable, since Windows NT Server 4.0 and Windows 2000 Server prior to SP3 are insecure against DNS cache poisoning attacks. Windows 2000 Server SP3 and later, as well as Windows Server 2003, are configured securely by default.

Tags: DNS