|Title||Update for DNS Devolution|
|Name||KB971888||First vendor Publication||2009-06-09|
|Vendor||Microsoft||Last vendor Modification||1970-01-01|
Security-Database Scoring CVSS v2
|Cvss vector :|
|Cvss Base Score||N/A||Attack Range||N/A|
|Cvss Impact Score||N/A||Attack Complexity||N/A|
|Cvss Expoit Score||N/A||Authentification||N/A|
|Calculate full CVSS 2.0 Vectors scores|
Microsoft is announcing the availability of an update to DNS devolution that can help customers in keeping their systems protected. Customers whose domain name has three or more labels, such as "contoso.co.us", or who do not have a DNS suffix list configured, or for whom the following mitigating factors do not apply may inadvertently be allowing client systems to treat systems outside of the organizational boundary as though they were internal to the organization's boundary.
Purpose of Advisory: To provide clarification and notification of the availability of a non-security update that may help customers in keeping their systems protected.
Advisory Status: Microsoft Knowledge Base Article and associated updates were released.
Recommendation: Review the referenced Knowledge base and apply the appropriate updates.
This advisory discusses the following software.
What is the scope of the advisory?
What is a top-level domain (TLD)?
What is a Primary DNS Suffix (PDS)?
What is a second-level domain (SLD)?
What does the DNS devolution feature do?
What causes this risk?
What are the implications for the queries going outside organizational boundary?
All queries would expose the internal IP addresses. Network clients may exchange credentials with the malicious server. In case the query is for a WPAD server, malicious proxy may be set in the client machines.
Does this update change my current DNS devolution behavior?
Is there a change in user experience after this update is installed?
This is a security advisory about a non-security update. Isn't that a contradiction?
How is this update offered?
Is this update distributed on Automatic Update?
Why is this not a security update that is announced in a security bulletin?
Why is this update offered in a security advisory?
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying risk, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
To disable automatic DNS devolution, save the following to a file with an .REG extension and then run regedit.exe /s
Note Refer to the TechNet article, UseDomainNameDevolution, for more information on the UseDomainNameDevolution registry value.
For the changes to take effect, the DNS client service must be stopped and re-started. This can be accomplished from an elevated or administrative command prompt using the following command:
Impact of Workaround: The DNS resolver will not perform devolution, potentially breaking any applications or configurations that rely on this behavior. Applications that perform their own form of devolution are not affected by this setting.
To create a domain suffix search list, save the following to a file with a .REG extension and then run regedit.exe /s
Note Windows Server 2003 includes the ability to distribute the domain suffix search list via Group Policy. For more information, see Microsoft Knowledge Base 294785 in the DNS Suffix Search List section.
Impact of Workaround: When a domain suffix search list is configured on client systems, only that suffix list is used in DNS queries. The primary DNS suffix and any connection-specific DNS suffixes are not used. The DNS resolver will not perform devolution, potentially breaking any applications or configurations that rely on this behavior.
|Url : http://www.microsoft.com/technet/security/advisory/971888.mspx|