Do you run a DNS server?

Topic

New Reply

If you aren’t sure, believe me, you aren’t running a DNS server. If you are running a DNS server, @SimonZerafa wrote to me and suggested I nudge you a
[See the full post at: Do you run a DNS server?]

2 users thanked author for this post.

NetDef, Mr. Natural

Reply | Quote

Replies

Most people using a router run a DNS server in the router. Anyone running a Windows domain controller (including via the Essentials role) role is running a Windows DNS server. But if the question could be narrowed to, “Are you running a Windows DNS server that is open to the Internet?”–THAT is truly a tiny minority.

2 users thanked author for this post.

fk5353, woody

Reply | Quote

This vulnerability is present in Server 2012 R2 & up, but not in 2008 R2.

It seems like this would also be an issue for DNS servers serving addresses only to local (non-remote) clients. Just craft your exploit, send it in phish, and get someone to execute it. If successful, poison the DNS and redirect everyone in the organization to your own site(s) instead of their intended targets.

The local infection shouldn’t even need admin privileges to cause the DNS heap overflow.

What am I missing?

3 users thanked author for this post.

woody, rip, mcbsys

Reply | Quote

@jabeattyauditor, point taken. Definitely want to patch eventually even if you only run DNS locally. It’s more urgent if your DNS is public.

Interesting that the CVE refers to KB4471321 for Server 2016, but the KB doesn’t mention this vulnerability.

Reply | Quote

… and since a lot of folks in small businesses have setups where the single Windows server is the DHCP server for everything, then some multifunction printer and… and then they connect to wifi with a random device (phone or some such, or even a visitor’s pc) to print something directly from that… not to mention code execution from within the print job… yep, easy to get random things to talk to the DNS.

Reply | Quote

We have quite a few dns servers. I’ll be approving this for our Server 2012r2 and 2016 systems and installing manually on each system. This is one that I would prefer to install sooner rather than later. Since we have multiple dns servers I can install one at a time and monitor for problems. If I run across any issues I’ll be sure to pipe in.

Red Ruffnsore

Reply | Quote

MS says the vulnerability has not been publicly disclosed nor exploited. Unless you are protecting state secrets, it should be safe to hold off on patching, unless this status changes.

1 user thanked author for this post.

Mr. Natural

Reply | Quote

Ludicrous bug is ludicrous . . .  sigh.  Guess I am pulling the patch trigger this weekend for several servers.

~ Group "Weekend" ~

Reply | Quote

I’ll be honest: DNS vulnerabilities scare me.

Apparently, Windows Server editions aren’t the only machines that are vulnerable. Microsoft lists a bunch of Windows 10 versions as being vulnerable, too. As of today, this update (KB4471321) appears to be available only through the Catalog. In addition, Microsoft recommends installing the latest Servicing Stack Update before installing this update. Our workstations are configured to wait 25 days before installing updates, but even though the latest SSU (KB4465659) came out on 11/9, it was not automatically installed on our 1607 LTSB workstations, so we have to install that manually before installing this fix manually, too.

So I’ll spend the rest of today and tomorrow testing this in the lab, and then deploy it over the weekend, and try to catch up with the work that people really want me to do next week.

S’okay, though. I could have become a pastry chef, and I would have been happy, too, but I chose IT instead.

Reply | Quote

I’ve installed this on 2 of 3 DC’s in the main office. All 3 are 2012r2 servers. One a physical server Dell T610 or something. The other 2 are running on vmware. I have another to do later on vmware but I give it a green light.

Resolves names fine, ipconfig checks out.

This is important because of the fact that there is also a patch for windows 10 which of course runs dns. I’m pushing it to all our 1803 systems to prevent a backdoor.

Red Ruffnsore

1 user thanked author for this post.

RTEsysadmin

Reply | Quote

I informed my boss that all looks good and I will be in late tomorrow just in case.

Red Ruffnsore

Reply | Quote

What about dns vulnerability on Windows Server 2008/2008R2?

Reply | Quote

2008r2 is not affected and patch not needed as mentioned previously

Red Ruffnsore

1 user thanked author for this post.

columbia2011

Reply | Quote

For this CVE, Does there need to be an exception to the Defcon rule for us Home users?

Reply | Quote

This one can be installed separately and manually without the usual monthly bundle. See https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626 Just make sure that you have the current Servicing Stack Update installed first, which can also be installed separately and manually. The latest SSU is available at https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001 . I’ve tested it in our lab, and there appear to be no negative side affects. YMMV, but this is for DNS, and should be considered very important.

Group K(ill me now)

1 user thanked author for this post.

Lars220

Reply | Quote

Thank you, the servicing stack updates were applied and reported successful install. I do not understand why the security update failed to completely install at 99%, a waste of some hours as the Windows system had booted to finish the process. Do I have remove the December Flash update and Malware removal tool and retry installation of the security update?

Reply | Quote

I genuinely don’t see why Windows 10 is on the list of effected OS’s. No edition of Windows 10 supports installing the DNS server role. I think this is either a mistake, or simply patch overlap with the server editions. Note, that Windows 2012 R2 is listed, but Windows 8.1 isn’t.

Reply | Quote