Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

msrc логотип

ADV200009

Опубликовано: 19 мая 2020
Источник: msrc

Описание

Windows DNS Server Denial of Service Vulnerability

Microsoft is aware of a vulnerability involving packet amplification that affects Windows DNS servers.

An attacker who successfully exploited this vulnerability could cause the DNS Server service to become nonresponsive.

To exploit this vulnerability an attacker would need to have access to at least one client and a domain that replies with a large volume of referral records, without glue records, that point to external victim sub domains. While resolving a name from the attacker client, for each referral record found, the resolver contacts the victim domain. This action can generate a large number of communications between the recursive resolver and the victim's authoritative DNS server to cause a Distributed Denial of Service (DDoS) attack.

For more information see the Mitigations and Workaround sections of this advisory.

See also Guidance for DNS Amplification discussed in ADV200009.

Меры по смягчению последствий

Customers should determine if the DNS server is an intranet-facing or an edge-facing authoratative Microsoft DNS server, then refer to the applicable mitigation. Microsoft rates the risk of this exploit that targets DNS servers residing on corporate intranets as low. DNS Servers residing on edge networks are vulnerable to NXNSAttack.

For intranet facing MS DNS Servers:

The risk of this exploit is low. Monitor internal DNS Servers for unusual traffic. Disable internal NXNSAttackers residing on your corporate intranet as they are discovered.

For edge-facing authoritative DNS Servers:

Enable Response Rate Limit (RRL) supported by Windows Server 2016 and newer versions of Microsoft DNS. Using RRL on DNS resolvers minimizes the initial attack amplification. Using RRL on a public domain's authoritative DNS server reduces amplification back to the DNS resolver. Note that RRL is disabled by default.

This mitigation is not available for Windows Server 2012 or Windows Server 2012 R2. These earlier versions of Windows Server do not support the RRL feature. DNS Servers residing on edge networks that are running either of these versions of Windows Server should be upgraded to Windows Server 2016 or newer that support the RRL feature.

For more information on RRL, See the following:

Use the SetDNSServerResponseRateLimiting Powershell cmdlet to enable RRL using default values. If enabling RRL causes legitimate DNS queries to fail because they are being throttled too tightly, incrementally increase the values for the Response/Sec and Errors/Sec parameters only until the DNS Server responds to previously failing queries.

Other parameters may also help administrators better manage RRL settings including RRL exceptions.

For further information see Guidance for DNS Amplification discussed in ADV200009.

Обходное решение

Enable Response Rate Limiting on a DNS server

Please see DNS Server Response Rate Limiting for more information.

FAQ

Which versions of Windows are affected?

All supported versions of Windows Server are affected.

Do the mitigation and workaround summarized in this advisory apply to all versions of Windows Server?

No. The mitigation and workaround are not available for Windows Server 2012 or Windows Server 2012 R2. These earlier versions of Windows Server do not support the Response Rate Limit (RRL) feature, which reduces the amplification impact when a targeted DNS resolver queries your DNS Servers.

What should customers do if they have DNS Servers residing on edge networks that are running either Windows Server 2012 or Windows Server 2012 R2?

DNS Servers residing on edge networks that are running either Windows Server 2012 or Windows Server 2012 R2 should be upgraded to Windows Server 2016 or newer that support the RRL feature, which reduces the amplification impact when a targeted DNS resolver queries your DNS Servers.

Возможность эксплуатации

Publicly Disclosed

No

Exploited

No

DOS

N/A