The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and UDP Service Ports Reservation Explained, and DNS Memory Leakage

The DNS Cache Poisoning Vulnerability, Microsoft KB953230 Patch, and Ports Reservation Explained


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP: Directory Services
  Active Directory, Exchange and Windows Infrastructure Engineer


Published 7/2009
Edits:
8/9/2010  – Added update links (see the bottom of this blog).
10/5/2010 – Added info about the DNS Process Memory Leakage After Installing Hotfix 941672 for Windows 2003
10/7/2010 – Added link explaining how to debug the DNS process to determine if a leak is occuring



 


Protection against the Microsoft DNS Cache Poisoning Vulnerability (953230)


The DNS patch released in July, 2008, reserves 2500 ephemeral UDP service ports.


It is a security update to prevent spoofing. Attackers know that normally, without the update, a random ephemeral response port (service port), which a port is chosen randomly using UDP 1024 and above, is used in response to the querying client resolver. These response or service ports, are used by all Windows communications (not just DNS). An attacker may guess/randomize a port attack at DNS attempting to gain access to create records into the DNS Cache, by injecting records using specially crafted commands, therefore poisoning the DNS cache with records of their choosing, which will allow a remote attacker to redirect legitimate network traffic intended for systems on the Internet to the attacker’s own systems or elsewhere, of their choosing.


By pre-reserving the port, or creating a socket pool, as the DNS patch performs, reduces the chance of a randomization attack, which attackers are using against Windows and other major DNS services, to prevent Cache Poisoning.


 


DNS Increased Memory Consumption Due To The DNS Patch


When you run a netstat -ab, it will display the 2500 UDP ports that have been reserved, but not necessarily in use. This is part of the increased memory consumption that you may notice. I’ve noticed the following when I’ve looked at Task Manager before and after the DNS patch was installed (your mileage may vary):


dns.exe             Before            After
Mem usage     9,758K       36,232K
Peak Mem     10,208K       36,584K
Paged Pool           71K            798K
NP Pool                 17K         4,833K
Handles                238            5,217
Threads                  20                 20


 


If the RPC Endpoint Mapper Runs Out of Ports Due to the Patch


There can also be issues with various applications installed and running on a DNS server where the RPC Endpoint Mapper has run out of ports to use because all available ports are being consumed by the app. If this is the case, it could be that the system is running out of available ports for the RPC endpoint mapper to use.


Run “netstat -ano” in a command line. It should provide a listing of ports that are in use as well as the PID of the process that owns that port.  Possibly you’re running an application on this server that isn’t releasing ports when it’s done with them.  You can also extend the available ports used by RPC but I’d recommend looking into what’s consuming them first.


Take a look at the following article for more info on the Endpoint mapper:


839880 Troubleshooting RPC Endpoint Mapper errors using the Windows Server 2003 Support Tools from the product CD
http://support.microsoft.com/default.aspx?scid=kb;EN-US;839880


 


DNS Process Memory Leakage After Installing Hotfix 941672 for Windows 2003


If your DNS server is experiencing a large amount of memory being consumed by the DNS process to the point it hangs the DNS service and it stops responding, it may be associated to hotfix 941672. If 941672 was installed on the DNS server,
there is a known memory leak issue in the DNS process associated with this hotfix. The issue has been fixed by installing hotfix patch 975830.


Please read more about it in the following link, where you can also request the hotfix.


The memory usage of the Dns.exe process keeps increasing after you install hotfix 941672 on a computer that is running Windows Server 2003 SP2 and that has the DNS server role installed
Article ID: 975830 – Last Review: October 27, 2009 – Revision: 1.0
http://support.microsoft.com/kb/975830/en-us


DNS Memory Consumption Related Discussion:
http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/bcf3ac92-3485-4a2d-9386-55f2dcbc78f8


If you feel that you need more information to determine if a DNS process leak is occuring, you can enable debug logging, and use the following link in conjunction with the symptoms explained in KB975830 to further analyze the issue. Read the following link for more info.


DNS: Monitoring Server
http://technet.microsoft.com/en-us/library/cc783975(WS.10).aspx


 


Windows 2008, 2008 R2, Vista and Windows 7 Emepheral Ports Have Changed


The default emepheral (Random service ports) are UDP 1024 – 65535 (See KB179442 below), but for Vista and Windows 2008 it’s different. Their default start port range is UDP 49152 to UDP 65535 (see KB929851 below).


Quoted from KB929851 (link posted below):


“To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000.”


Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (emepheral ports)
The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
http://support.microsoft.com/?kbid=929851


 


 


DNS Server Service Terminates Unexpectedly


Are you seeing the following error?


The DNS Server service terminated with the following error:
An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.


Cause:
2500 is the default DNS Socket Pool Size value on Windows server 2008 R2. I suspect that for system steady reason BPA will always suggest to use system default settings, so this is the reason why it popped this prompt.


Meanwhile, could you verify the current value setting of registry key SocketPoolSize where under patch:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters
Manually modify it to the value you want ,restart computer and check if this issue persist.


For more information please refer to the link below:


DNS Socket Pool – Windows 2008 R2
http://technet.microsoft.com/en-us/library/ee683907(WS.10).aspx


 



More info on the Microsoft DNS Cache Poisoning Vulnerability KB953230 patch and the DNS exploit issue is explained in the following links.


US-CERT Vulnerability – Note VU#800113
Multiple DNS implementations vulnerable to cache poisoning.
DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that …
https://www.kb.cert.org/vuls/id/800113


SecureWorks: DNS Cache Poisoning
The old problem of DNS cache poisoning has again reared its ugly head.
There are new attacks, which make DNS cache poisoning trivial to execute against …
http://www.secureworks.com/research/articles/dns-cache-poisoning


DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative …
Cache poisoning attacks – Variants – Prevention and mitigation
http://en.wikipedia.org/wiki/DNS_cache_poisoning


MS08-037: Description of the security update for DNS in Windows Server 2003, in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:
http://support.microsoft.com/?id=951748


MS08-037: Vulnerabilities in DNS could allow spoofing
http://support.microsoft.com/default.aspx/kb/953230


How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
http://support.microsoft.com/kb/812873


You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
http://support.microsoft.com/default.aspx/kb/956188


Some Services May Fail to Start or May Not Work Properly After Installing MS08-037 (951746 and 951748)
http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx


SBS Services failing after MS08-037 – KB951746 and 951748
http://msmvps.com/blogs/thenakedmvp/archive/2008/07/18/sbs-services-failing-after-ms08-037-kb951746-and-951748.aspx


 


Additional Updated LInks (added 8/9/2010):


[PDF] Windows DNS Server Cache PoisoningFile Format: PDF/Adobe Acrobat – Quick View
Microsoft Windows DNS Cache Poisoning. 6. ID. If it is not 7, it sends back a CNAME record for the next host name (i.e. a …
www.babilonics.com/files/Windows_DNS_Cache_Poisoning.pdf


==================================================================


Ace Fekay

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>