Microsoft Security Advisory 971888
Update for DNS Devolution
Published: June 09, 2009
Microsoft is announcing the availability of an update to DNS devolution that can help customers in keeping their systems protected. Customers whose domain name has three or more labels, such as "contoso.co.us", or who do not have a DNS suffix list configured, or for whom the following mitigating factors do not apply may inadvertently be allowing client systems to treat systems outside of the organizational boundary as though they were internal to the organization's boundary.
- Customers who are joined to a domain and have a DNS suffix search list configured on their system are not at risk of inadvertently treating external systems as though they were internal. Microsoft encourages all enterprise customers to set DNS suffix search lists on client systems in order to ensure all DNS queries stay within organizational boundaries.
- In most cases, home users who are not members of a domain do not use DNS devolution and therefore are not exposed to this risk. Home users who are not members of a domain but have configured a primary DNS suffix, however, do use DNS devolution and are at risk of inadvertently treating external systems as though they were internal.
- Customers whose DNS domain name consists of two labels are not exposed to this risk. An example of a customer who is not affected is contoso.com or fabrikam.gov, where "contoso" and "fabrikam" are customer registered domain names under their respective ".com" and ".gov" top-level domains (TLDs).
Purpose of Advisory: To provide clarification and notification of the availability of a non-security update that may help customers in keeping their systems protected.
Advisory Status: Microsoft Knowledge Base Article and associated updates were released.
Recommendation: Review the referenced Knowledge base and apply the appropriate updates.
|Microsoft Knowledge Base Article||957579|
This advisory discusses the following software.
What is the scope of the advisory?
This advisory provides notification that updates are available that help define an organizational boundary for systems that are domain joined but do not have a DNS suffix list configured. Updates are available for the software that are listed in the Overview section.
What is a top-level domain (TLD)?
The top-level domain (TLD) is the last part of an Internet domain name. These are the letters that follow the final dot of any domain name. For example, in the domain name wpad.western.corp.contoso.co.us, the TLD is ".us". TLDs can be primarily split into two types: country code and generic. Country code TLDs are two letter abbreviations for each country. In this example .us is for United States. Generic TLDs are the more traditionally recognizable three (or greater) letter abbreviations such as .com, .net, .org, etc. For a full list of all available TLDs, refer to the following list at IANA.
What is a Primary DNS Suffix (PDS)?
This is the domain name appended to the right of a computer's single label host name. A fully qualified domain name (FQDN) can be defined as <hostname>.<primary DNS suffix>. By default, the primary DNS suffix portion of a computer's FQDN is the same as the name of the Active Directory domain to which the computer is joined. However, a computer's PDS may be different than the DNS domain to which it is joined when configured via the Properties dialog box from My Computer.
What is a second-level domain (SLD)?
A second-level domain (SLD) is a domain located directly "below" or to the left of the TLD. In the previous example, wpad.western.corp.contoso.co.us, the SLD is ".co". The most common registration of SLDs is under country code TLDs. The United States primarily uses the SLD for US state registration such as ".co.us" for the state of Colorado for example. Non-US SLDs often reuse common TLD names such as ".com.sg".
What does the DNS devolution feature do?
Devolution is a Windows DNS client feature. Devolution is the process by which Windows DNS clients resolve DNS queries for single-label unqualified hostnames. Queries are constructed by appending PDS to the hostname. The query is retried by systematically removing the left-most label in the PDS until the hostname + remaining PDS resolves or only two labels remain in the stripped PDS. For example, Windows clients looking for "Single-label" in the western.corp.contoso.co.us domain will progressively query Single-label.western.corp.contoso.co.us, Single-label.corp.contoso.co.us, Single-label.contoso.co.us, and then Single-label.co.us until it finds a system that resolves. This process is referred to as devolution. For additional information on the DNS client service and devolution, see the Name Resolution for Single-Label, Unqualified Domain Names section in the TechNet article, TCP/IP Fundamentals for Windows, Chapter 9 - Windows Support for DNS.
What causes this risk?
A malicious user could host a system with a single-label name outside of an organization's boundary and due to DNS devolution may successfully get a Windows DNS client to connect to it as though it were internal to the organizational boundary. For example, if the DNS suffix of an enterprise is corp.contoso.co.us and an attempt is made to resolve an unqualified hostname of "Single-Label", the DNS resolver will try Single-Label.corp.contoso.co.us. If that is not found, it will try, via DNS devolution, to resolve Single-label.contoso.co.us. If that is not found, it will try to resolve Single-label.co.us, which is outside of the contoso.co.us domain.
What are the implications for the queries going outside organizational boundary?
Implications vary depending on the query escaping the organization boundary.
All queries would expose the internal IP addresses. Network clients may exchange credentials with the malicious server. In case the query is for a WPAD server, malicious proxy may be set in the client machines.
Does this update change my current DNS devolution behavior?
Yes. The update checks to see what the domain of the Windows client is and limits DNS queries to within that domain. For more information and examples of the change in DNS devolution behavior, see Microsoft Knowledge Base Article 957579.
Is there a change in user experience after this update is installed?
Yes. After the update is installed, the DNS resolver will only perform devolution to a level based on the domain settings of the Windows client, potentially breaking any applications or configurations that rely on this behavior. For more information on the change in DNS devolution behavior, see Microsoft Knowledge Base Article 957579.
This is a security advisory about a non-security update. Isn't that a contradiction?
Security advisories address security changes that may not require a security bulletin but may still affect customer's overall security. Security advisories are a way for Microsoft to communicate security-related information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin, or about issues for which no security bulletin has been released. In this case, we are communicating the availability of an update that affects your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security.
How is this update offered?
These updates are available on the Microsoft Download Center. Direct links to the updates for specific affected software are listed in the Affected Software table in the Overview section. For more information about the update and the changes to behavior, see Microsoft Knowledge Base Article 957579.
Is this update distributed on Automatic Update?
No. These updates are not distributed over the Automatic Update mechanism. The updates are only available from the Microsoft Download Center. Direct links to the updates for specific affected software are listed in the Affected Software table in the Overview section.
Why is this not a security update that is announced in a security bulletin?
This is a configuration issue. DNS devolution is working as intended and some customers may depend on DNS devolution to legitimately reach assets out of their organizational boundary and treat them as internal assets.
Why is this update offered in a security advisory?
Customers may not know that Windows clients in their environment are using devolution. Devolution could allow clients to treat systems out of their boundary as internal assets and so they are likely to give up credentials, or expose themselves to information disclosure type vulnerabilities.
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying risk, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Disable DNS Devolution
To disable automatic DNS devolution, save the following to a file with an .REG extension and then run regedit.exe /s <filename> from an elevated or administrative command prompt:
Note Refer to the TechNet article, UseDomainNameDevolution, for more information on the UseDomainNameDevolution registry value.
Windows Registry Editor Version 5.00
For the changes to take effect, the DNS client service must be stopped and re-started. This can be accomplished from an elevated or administrative command prompt using the following command:
net stop dnscache & net start dnscache
Impact of Workaround: The DNS resolver will not perform devolution, potentially breaking any applications or configurations that rely on this behavior. Applications that perform their own form of devolution are not affected by this setting.
Configure a Domain Suffix Search List
To create a domain suffix search list, save the following to a file with a .REG extension and then run regedit.exe /s <filename> from an elevated or administrative command prompt:
Windows Registry Editor Version 5.00
"SearchList"=<domain specific search list>
Note Windows Server 2003 includes the ability to distribute the domain suffix search list via Group Policy. For more information, see Microsoft Knowledge Base 294785 in the DNS Suffix Search List section.
Impact of Workaround: When a domain suffix search list is configured on client systems, only that suffix list is used in DNS queries. The primary DNS suffix and any connection-specific DNS suffixes are not used. The DNS resolver will not perform devolution, potentially breaking any applications or configurations that rely on this behavior.
- You can provide feedback by completing the form by visiting the following Web site.
- Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see the Microsoft Help and Support Web site.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
- The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (June 9, 2009): Advisory published.
Built at 2014-04-18T13:49:36Z-07:00