MS08-037 and Non-recursing DNS Server

Discussion in 'DNS Server' started by John Liles, Jul 31, 2008.

  1. John Liles

    John Liles Guest

    We're preparing to implement this DNS patch in our enterprise, and something
    occurred to me that I thought someone out there might have insight on.

    In addition to our AD-integrated DNS infrastructure, we manage
    external-facing DNS for our company on two Windows servers. Because we're no
    longer forwarding non-authoritative queries from internal to these, we've
    disabled recursion on the external DNS boxes (so they're responsive only to
    queries for zones they're authoritative for).

    With that sort of configuration, are these external boxes even affected by
    the new DNS vulnerability?

    Thanks for any input.
     
    John Liles, Jul 31, 2008
    #1
    1. Advertisements

  2. In
    No, not really, but if an internal machine gets a bug installed with the
    exploit, they will cause problems. Why take a chance?

    --
    Regards,
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
    MVP Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Infinite Diversities in Infinite Combinations
     
    Ace Fekay [MVP], Aug 1, 2008
    #2
    1. Advertisements

  3. John Liles

    John Liles Guest

    Thanks for the response. I agree, there's no reason to take a chance and I
    hadn't intended to leave these servers un-patched. Mainly just curious.
     
    John Liles, Aug 1, 2008
    #3
  4. John Liles

    ObiWan [MVP] Guest

    In addition to our AD-integrated DNS infrastructure, we manage
    so, in a word you're saying you had a couple of published DNS
    which were also recursive resolvers which ANYONE in the world
    was able to use ? That was/is a BAD idea, since servers configured
    in such a way may easily be abused for "DNS amplification attacks"
    the bottom line is that, if a DNS is an authoritative one, then it
    should
    NOT recurse, and a recursive server should ONLY be accessible
    to "authorized" clients and not to the whole world

    That said; I fully agree with Ace's post
     
    ObiWan [MVP], Aug 1, 2008
    #4
  5. John Liles

    John Liles Guest

    Uh, yeah. That's why I changed it. You should have seen the DNS
    infrastructure here before I was able to re-architect it.

    JL
     
    John Liles, Aug 1, 2008
    #5
  6. In

    No problem. :)
     
    Ace Fekay [MVP], Aug 2, 2008
    #6
  7. John Liles

    ObiWan [MVP] Guest

    Uh, yeah. That's why I changed it. You should have seen the DNS
    Oh well <g> I suspect it was the "usual S.N.A.F.U."; wasn't it :D ?
     
    ObiWan [MVP], Aug 4, 2008
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.