Windows DNS and the Kaminsky bug

Published 03 December 08 01:59 PM

Yeah…it’s about time we talk about this, isn’t it?

As part of mitigating the threat posed by the Kaminsky vulnerability, which Dan explains in detail in a blog post he published a while ago, Microsoft released patches to the Windows DNS servers that included a feature called “socket pool”. This was released as Microsoft Security Bulletin MS 08-037.

In Windows 7, there is another additional feature that adds another layer of security called “cache locking”. I’ll talk a bit about both these features now.

The Socket Pool is the way Windows DNS achieves source port randomization. Instead of using a predicable source port when issuing queries, the DNS server will now randomly pick a source port from a pool of sockets that it opens when the service starts. Depending on the OS version, the socket pool is opened either in the 49k to 64k range or the 10k to 49k range. An attacker will have to guess this source port in addition to the random transaction ID to be able to successfully execute the cache poisoning attack.

The size of the socket pool is stored in the registry under HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\SocketPoolSize. If you open regedit and don’t see this key present, then that means that the DNS server is using a default of 2,500 ports. The registry key only gets created when you attempt to modify this value.

When the DNS service starts up, it reads the value of the socket pool size from this registry location. It then calls the TCP/IP stack and begins to open up these sockets. Once they’re all open, the DNS server randomly picks a socket for each query it sends.

By default, the socket pool size is 2,500. Note that this means 2,500 ports for IPv4 and 2,500 ports for IPv6. The max value for the socket pool is 10,000.

How do you control the value of this setting?

Ø Dnscmd /Info /SocketPoolSize will tell you the current size of the socket pool

Ø Dnscmd /Config /SocketPoolSize <val> sets the socket pool size to #val

Ø Once you reset the size, you must restart the DNS service. Use net stop dns to stop the service, and net start dns to restart the service. Once the service has restarted, the new socket pool will come into effect.

Now some customers experienced loss of Internet connectivity after installing this patch on computers that had certain versions of ZoneAlarm installed. ZoneAlarm released a bulletin to address this issue.

Last week NetworkWorld.com published an article that said that one in four DNS servers are still vulnerable to Kaminsky flaw. If you’re running Windows DNS and haven’t patched yet, do so! Do it now. Remember, this mainly affects recursive DNS servers, so if you have no recursive DNS servers, you can panic less.

In Windows Server 2008 R2 DNS server, we’ve made an additional tweak to the socket pool. The patch released only allows you to turn on/off the socket pool and specify a socket pool size. However in R2, you can now specify an exclusion list – i.e. a list of ports/port ranges that the DNS server should not bind to. Therefore, if you have another application on your DNS server that you know binds to a specific port in the 49k – 65k range, then you can add that port to the exclusion list. DNS server will not bind to that port (or ports) and leave them free for the other application to use.

To set up this exclusion list (available only on Windows Server 2008 R2), use:

Ø Dnscmd /Config /SocketPoolPortExclusionList

Now Windows Server 2008 R2 DNS server (aka Windows 7 server) contains an additional layer of security with a feature called cache locking. Understanding TTLs is key to understanding this feature.

Each DNS resource record comes with a Time-To-Live (TTL) value. This tells another caching server/resolver how long to keep the record in the cache before deleting it. Accordingly, until the TTL expires, the server will retain the record in the cache. However there is nothing preventing the server from overwriting the entry in the cache before the TTL expires if it receives updated information about that name.

One of the most dangerous aspects of the Kaminsky attack is that it allows an attacker to overwrite a pre-existing cached delegation. A reasonably valid assumption is that for any domain that is worth attacking, all DNS servers that are serving a typical set of clients will have a valid cached delegation in memory in the steady state. As soon as the valid cached delegation expires, another client is likely to fairly quickly submit a query for a name in the zone, causing the delegation to be re-cached.

Cache locking is measured as a % value. For example, if the cache locking value is set to 50%, then the DNS server will not overwrite a cached entry for 50% of its TTL. So, if the DNS server has a cached entry for www.contoso.com with a TTL of 60 minutes, for the first 30 minutes after creating the cache entry, the DNS server will not overwrite the entry even if it receives different data about www.contoso.com.

How does this protect against the Kaminsky vulnerability? Think about what the attacker is doing – he is running the race over and over again, by querying for 1.contoso.com, 2.contoso.com, 3.contoso.com and bombarding a reply that essentially says “Don’t know where n.contoso.com is, but ask www.contoso.com, who by the way is at <attacker’s IP>.” And, to successfully complete the attack, he’s counting on the fact that if/when he does win the race, his IP address gets cached against www.contoso.com, overwriting what already may be there.

By default, the cache locking percent value is 100. This means that cached entries will not be overwritten for the entire duration of the TTL.

The value is stored in this registry location: HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\CacheLockingPercent. As with the socket pool, if you look at the registry and don’t see this registry key, then the DNS server will assume a default of 100. The registry key only gets created when you attempt to modify the value.

Here’s the magic that makes it work (available only on Windows Server 2008 R2):

Ø Dnscmd /Info /CacheLockingPercent will tell you what the current value of the cache locking percent is.

Ø Dnscmd /Config /CacheLockingPercent <val> will set the cache locking percentage to #val.

by sseshad

Filed under: Kaminsky bug

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# microsoft patches | Digg hot tags said on December 3, 2008 11:54 PM:

PingBack from http://diggwow.info/tags/108/200812/microsoft-patches.html

# Alun Jones said on December 4, 2008 3:24 PM:

At http://msmvps.com/blogs/alunj/archive/2008/07/25/1642098.aspx, I talked about using the "ReservedPorts" registry entry documented in http://support.microsoft.com/kb/812873 to prevent the DNS server from binding to certain ports.

The SocketPoolPortExclusionList entry sounds similar, but would presumably be restricting only the DNS server, rather than "ReservedPorts", which restricts all servers from binding to those ports by accident.

Thanks for coming up with this extra information - cache locking sounds like a simple way to prevent this attack, but will be worth watching if any future attacks guarantee a cache can be poisoned, because now a poisoned cache will be poisoned for 50% of the declared TTL.

# sseshad said on December 4, 2008 5:05 PM:

Hi Alun, yes the SocketPoolExclusionList applies only to the DNS server and not to any other services/applications. A possible issue that the SocketPoolExclusionList attempts to mitigate is that if application "x" for some reason always asks for port "p" in the 49k-64k range, but in this instance that port is taken away by the DNS server, then application "x" has nothing to bind to. This sounds a little bizzare, but in the event that it does happen, it will be really hard to detect the failure cause. The exclusion list can allow administrators to selectively control the socket pool based on what else is running on that machine.

# Alun Jones said on December 4, 2008 6:13 PM:

Said bizarre reasons include attempts to restrict the number of ports used by RPC-dependent network services. Take AD, as an example, if you've followed the instructions in http://support.microsoft.com/kb/224196 in order to allow AD replication and client RPC traffic through on a fixed port, you may well have chosen a port in that range of 49k-64k, in an attempt to avoid opening the firewall up to a 1k-64k port range.

# Robert said on December 5, 2008 1:31 AM:

The services offered by us provide a competitive advantage in several ways as it

increases the tempo of your business activities. <a href="http://www.realdataassistance.com/">Data entry service providers</a>

# someone said on December 29, 2008 7:24 AM:

Please we are concerned about DNSSEC support in Vista and Server 2008. Please add it in the upcoming service pack. We don't like forced to upgrade for this feature.

# stopka2top said on March 20, 2009 10:39 AM:

How do you control the value of this setting?

Ø Dnscmd /Info /SocketPoolSize will tell you the current size of the socket pool

blogs.technet.com/sseshad/archive/2008/12/03/windows-dns-and-the-kaminsky-bug.aspx

Ø Dnscmd /Config /SocketPoolSize <val> sets the socket pool size to #val

# stopka2top said on March 20, 2009 10:40 AM:

blogs.technet.com/sseshad/archive/2008/12/03/windows-dns-and-the-kaminsky-bug.aspx

# Michael said on April 1, 2009 12:36 PM:

Hello,

We had DNS-Spoofing under Server 2003 R02 (All patches) in Switzerland since December 2008. The fix for this was released 10.03.2009 by MS. You can find traces about DNS Spoofing (Server 2003) from beginning Dec 2008 on Secunia and several security sites. I am a great fan of MS products and i kind of hate linux. Not because of TUX because of the strange people who manage it ;-)

But now: Why did it take 3 Months for MS to release i patch for the DNS Server?

On TUX it's one line of code to drop the packet (The Zero ones) out of everything. Sonicwall, Series 2, Zyxel could not filter it. Every Fortigate could do it since the beginning.

Can you imagine how much traffic and Peaks on larger ISP's MS has generated with this. Can you believe that several larger enterprise customer did change their ISP in this time?

I mean i have XX calls fre at MPSS because we are M S Partner. But do you just want me to call next and MAYBE we will get USD250 charged...

Can you imagine what an ISP tells you if you explain them that you run a NS not on Bind but a DNS MS 2003?

For fast answers and TUXIES

;-) No, we (some) can't because then Exchange 2007 CAS to be in the LAN Segment otherwise they guys from spain (MPSS) hang up the fone. No i don't like the experiments with Edge and ADAM.

You (Some other MS dudes) did some good work with "Malicious software removal" which saved some MCAFEE enterp* butts the last few weeks because of not deteting conf* but the DNS story sucks.

Thank you Microsoft.......

# John said on April 22, 2009 2:50 AM:

Thanks! This is exactly what I was looking for, too bad MS didn't explain/post this as well...

# cheap propecia said on May 28, 2009 2:36 AM:

If you have to do it, you might as well do it right

# GW@DellCSS said on June 19, 2009 2:18 PM:

what collection of commands do we have, analogous to DNSCMD /config /socketpoolsize <value>, that will work on our few, but dogged Win2000server customers? DNSCMD /config is an unknown command, and we have to do something about the ~5700 handle count being sucked away from user mem. It has become a significant call driver for us whenever we see server freezes... and reducing socket pool size by 1/2 cuts the expended handles in 1/2 as well, resulting in resolution.

Name (required)
Your URL (optional)
Comments (required)

Enter Code Here: Required
Remember Me?

About sseshad

Shyam Seshadri is the Program Manager in Microsoft responsible for the Windows Domain Name System (DNS) server and client products.

Port 53

Windows DNS and the Kaminsky bug

Comment Notification

Comments

Leave a Comment

About sseshad

This Blog

Tags

Archives

Syndication