Recipe13.17.Preventing Cache Pollution on DNS Servers

Recipe 13.17. Preventing Cache Pollution on DNS Servers

Problem

You want to prevent the DNS cache on a name server from becoming polluted with false information.

Solution

Using a graphical user interface

1. Open the DNS snap-in and connect to the name server you want to manage.

2. Right-click on the name server node and select Properties.

3. Select the Advanced tab.

4. Select the checkbox labeled Secure against cache pollution.

5. Click OK.

Using a command-line interface

The following command adds the value SecureResponses to the HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters registry key and assigns it a value of 1:

> reg /add HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v SecureResponses  /t REG_DWORD /d 1

Using VBScript

You can provide the same function with the following code:

set objWSHShell = CreateObject("WScript.Shell") strRegKey = "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" objWSHShell.RegWrite regkey & "SecureResponses", 1

One additional method of doing something similar with VBScript is to clear the DNS cache of resource records. The following code utilizes WMI to clear the DNS cache on the current computer:

strComputer = "." set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\MicrosoftDNS") set colItems = objWMI.ExecQuery("Select * From MicrosoftDNS_Cache") for each objItem in colItems     objItem.ClearCache( ) next

Discussion

The DNS Server cache is used to temporarily store the result of DNS queries from clients so that if the same query is received within a short time interval, the server can respond with the cached information instead of performing a lookup. This results in increased performance and reduced processor load. If attackers can inject false information into the DNS cache or modify existing information within the cache, they can redirect DNS queries from legitimate clients to a rogue name server impersonating as a legitimate server.

Enabling the cache pollution prevention setting affects how a name server processes the results of a recursive query issued against another name server. For example, if the local server queries the remote server for a host in one namespace (e.g., testone.com) and the response from the second server includes a referral to a host in a different namespace (e.g., testtwo.com), the local server discards the response and does not cache it in its name server cache. Note that this setting is enabled by default in Windows 2000 and Windows Server 2003, so you only need to perform this task if you have previously disabled the setting.

The tradeoff with enabling this setting is that sometimes valid responses end up being dropped; for example, if the company owning the second namespace provides DNS services to the company owning the first namespace (for example, if an ISP owned testtwo.com and hosts services for testone.com). This is not a huge issue, however, since it just means that such responses aren't cached; it doesn't mean your name server can't perform a recursive lookup against the other server each time a query is received. The only impact of not being able to cache such responses is the small delay incurred by not being able to retrieve successful lookups from the local server's cache.

See Also

MS KB 241352 (How to Prevent DNS Cache Pollution)