------------------------------------------------------------------------
         Windows DNS Cache Poisoning by Forwarder DNS Spoofing 

                               2007.4.16

                  Makoto Shiotsuki <shio@st.rim.or.jp>

Introduction
============

About two years ago, SANS Handler's Diary reported that Windows DNS
server is vulnerable to the cache poisoning attack despite "Secure cache
against pollution" setting if it is configured to forward requests to
the forwarder DNS server [1][2].

According to the Handler's Diary, this poisoning attack against Windows
DNS would be successful in the case when the forwarder DNS server itself
is vulnerable to the poisoning attack or the forwarder DNS server does
not filter out the bogus records in the poisoning attack. So, it is
believed that using Bind9 as forwarder is safe to protect Windows DNS
server from cache poisoning attack through forwarder.

But there seems to be other possible scenario, and in this case, the
possibility of successful attack does not depend on the type or version
of the forwarder DNS server. Therefore, the risk of the Windows DNS
cache poisoning attack is higher than generally perceived.

As far as I tried, DNS service of the Windows Server 2003 SP2 still has
this vulnerability.

Details
=======

As described above, Windows DNS is vulnerable to the cache poisoning
attack through the forwarder DNS server. This seems because Windows DNS
blindly trusts replies from forwarder DNS and caches every resource
records regardless of their domain.

Windows DNS also has characteristic that it is vulnerable to the DNS
spoofing attack using "birthday attack" [3]. By sending multiple
simultaneous queries and forged replies to the Windows DNS server,
attacker can inject a spoofed reply relatively easily if its arrival is
earlier than the reply from the legitimate DNS server.

Both of these are known vulnerabilities (or characteristics? ;) on
Windows DNS, and each of them individually is not high risk because
they require some preconditions to be successfully exploited. However,
by executing the cache poisoning attack in conjunction with DNS
spoofing, it will be more effective attack and the risk will be higher
than before.

Following is the scenario.

  +-----------+           (1)Query           +-----------+
  |           |  ------------------------->  |           |
  |           |  ------------------------->  |           |
  | Attacker  |  ------------------------->  |  Windows  |
  |           |                              |    DNS    |
  |           |  ------------------------->  |           |
  |           |  ------------------------->  | (Victim)  |(6)Poisoned!!
  |           |  ------------------------->  |           |
  +-----------+     (5)Answer(poisoning)     +-----------+
                                                  |||
                                                  ||| (2)Query 
                                                  |||
                                                  vvv
  +-----------+           (3)Query           +-----------+
  |           |  <-------------------------  |           |
  |           |  <-------------------------  |           |
  | Attacker  |  <-------------------------  | Forwarder |
  |    DNS    |                              |    DNS    |
  |           |                              |           |
  |           |  (4) no reply                |           |
  |           |                              |           |
  +-----------+                              +-----------+

  1) Attacker sends multiple simultaneous recursive queries (e.g. 500
     queries) to the Windows DNS server, resolving the name in
     attacker's domain.
  2) Windows DNS forwards those queries to the Forwarder DNS server.
  3) Forwarder DNS sends queries to the Attacker DNS server to resolve
     the name.
  4) Attacker DNS does not reply at all and Forwarder DNS waits for
     timeout.
  5) Attacker sends multiple simultaneous replies (e.g. 500 replies)
     spoofing Forwarder DNS ip address with random query id. Each reply
     includes forged resource records to poison the Windows DNS cache.
  6) Windows DNS accepts certain spoofed reply if its query id matches
     one of the queries from the Windows DNS and finally Windows DNS
     cache is poisoned.

To accomplish this attack, the attacker must know the udp port number
of the Windows DNS server. The attacker can know it simply by sending
a query packet to the Windows DNS server resolving some names in
attacker's domain, because, by default, Windows DNS issues recursive
query by itself if the forwarder does not respond. (This behavior can
be changed using the DNS property window by setting "Do not use
recursion for this domain" check box ON.)

Windows DNS uses same source port number unless the service restarts.
Thus the attacker can use this port number for the attacking reply
packets as udp destination port.

Affected products
=================

Windows Server 2003 (up to and including SP2)
Windows 2000 Server (up to and including SP4)

Vendor status
=============

According to Microsoft response I've got through IPA/ISEC, this kind of
poisoning attack is caused by design of the Windows DNS service, and
they are considering the design change at service pack level.

Solutions
=========

Stop using forwarder.

Mitigating factors
==================

Reject recursive queries to the Windows DNS server from outside of the
site. This will help to prevent direct attacks from the Internet.

References
==========

[1] http://isc.sans.org/presentations/dnspoisoning.html
[2] http://isc.sans.org/diary.php?date=2005-04-07
[3] http://www.lurhq.com/cachepoisoning.html
------------------------------------------------------------------------