Skip navigation

How can I stop DNS Cache pollution?

A. DNS cache pollution can occur if Directory Naming Service (DNS) "spoofing" has been encountered. The term "spoofing" describes the sending of non-secure data in response to a DNS query. It can be used to redirect queries to a rogue DNS server and can be malicious in nature.

Windows NT DNS can be configured to filter out responses to unsecured records by performing the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
  3. From the edit menu select New - DWORD value
  4. Enter a name of SecureResponses and press Enter
  5. Double click the new value and set to 1. Click OK

The following is taken from Knowledge base article Q198409 which helps understand this more:

"Examples: DNS server makes MX query for domain.samples.microsoft.com to samples.microsoft.com's DNS server. The samples.microsoft.com DNS server responds but includes A record for A.ROOT-SERVERS.NET giving its own address. The rogue DNS server has then gotten itself set up as a root server in your DNS server's cache. Less malicious, but more common, are referral responses (or direct responses from BIND, see WriteAuthorityNs for discussion) that contain records for the DNS of an ISP: Authority section:

new.samples.microsoft.com NS ns.new.samples.microsoft.com.
new.samples.microsoft.com NS ns.isp.samples.microsoft.com.
Additional section:
ns.new.samples.microsoft.com. A 1.1.1.1
ns.isp.samples.microsoft.com. A 2.2.2.2
NOTE: The address record for the ISP happens to be old\stale. If SecureResponses is on, records that are not in a subtree of the zone queried are eliminated. For example, in the example above, the samples.microsoft.com. DNS server was queried, so the all the samples.microsoft.com records are secure, but the ns.isp.microsoft.com. A record is not in the sample .microsoft.com. subtree, and is not cached or returned by the DNS server."
TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish