CERTA-2001-AVI-096Un mauvais paramétrage par défaut des
serveurs DNS sous Windows NT et Windows 2000 permet à un utilisateur mal
intentionné de corrompre le cache des serveurs DNS au moyen d'informations
erronées renvoyées par un serveur DNS hostile.
Un utilisateur mal intentionné peut configurer un serveur hostile pour
renvoyer des informations erronées à des serveurs DNS vulnérables. Ces
informations erronées permettront alors de substituer une adresse
illégitime à une adresse légitime.
Par ce biais, il est ainsi possible de provoquer un déni de service en
renvoyant une erreur ou de rediriger le trafic vers un site hostile à
l'insu de l'utilisateur. Le site hostile peut alors intercepter, modifier
ou falsifier des informations.
Article Microsoft
How to Prevent DNS Cache Pollution
The information in this article applies to:
- Microsoft Windows NT Server version
4.0
- Microsoft Windows 2000 Datacenter
Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
IMPORTANT : This article contains information about editing the
registry. Before you edit the registry, make sure you understand how to
restore it if a problem occurs. For information about how to do this, view
the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a
Registry Key" Help topic in Regedt32.exe.
SUMMARY
DNS cache pollution can occur if Domain Name System (DNS) "spoofing"
has been encountered. The term "spoofing" describes the sending of
non-secure data in response to a DNS query. It can be used to redirect
queries to a rogue DNS server and can be malicious in nature.
MORE INFORMATION
WARNING : Using Registry Editor incorrectly can cause serious
problems that may require you to reinstall your operating system.
Microsoft cannot guarantee that problems resulting from the incorrect use
of Registry Editor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys
and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and
Delete Information in the Registry" and "Edit Registry Data" Help topics
in Regedt32.exe. Note that you should back up the registry before you edit
it. If you are running Windows NT or Windows 2000, you should also update
your Emergency Repair Disk (ERD).
Windows NT 4.0
With Windows NT 4.0 Service Pack 4 (SP4) or later, a Windows NT-based
DNS server can filter out the responses for these non-secure records.
To enable this feature:
- Start Registry Editor (Regedt32.exe).
- Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
- On the Edit menu, click Add Value , and then add the
following registry value:
Value Name : SecureResponses
Data Type : REG_DWORD
Value : 1 (To eliminate non-secure data)
- Quit Registry Editor.
By default, this key does not exist and non-secure data is not
eliminated from responses.
For additional information, click the article number below to view the
article in the Microsoft Knowledge Base:
Q198409 Microsoft DNS Server Registry Parameters, Part 2 of 3
Windows 2000
A Windows 2000-based DNS server can filter out the responses for these
non-secure records.
To enable this feature:
- Start Registry Editor (Regedt32.exe).
- Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
- On the Edit menu, click Add Value , and then add the
following registry value:
Value Name : SecureResponses
Data Type : REG_DWORD
Value : 1 (To eliminate non-secure data)
- Quit Registry Editor.
By default, this key does not exist and non-secure data is not
eliminated from responses.
NOTE : On Windows 2000, you can perform the same entry in the GUI.
Use the following steps to do this:
- Open DNS Management Console by clicking Start , Programs
, Adminstrative Tools , DNS .
- Right click on the server name in the left window pane.
- Choose Properties.
- Choose the Advanced tab.
- Place a check in the box "Secure cache against pollution".
