Microsoft has recently released a security updates/patch for the systems running DNS service (Domain Name System) on Windows Server 2008, Window Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019. This has affected Windows server core installation as well.
A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.
Microsoft has released a security updates as well as monthly roll up for all supported operating systems. Users should install updates their servers as soon as possible. As per the report, this vulnerability is wormable, and would run under the system context, giving any attackers full control of an affected DNS host.
If you are unable to apply security update due to some reason, you can use the following workaround on your server.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters DWORD = TcpReceivePacketSize Value = 0xFF00
You must restart the DNS Service for the registry change to take effect. To do this, run the following command at an elevated command prompt:
net stop dns && net start dns
After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients if the DNS response from the upstream server is larger than 65,280 bytes.
To remove the workaround
After applying the patch, the admin can remove the value TcpReceivePacketSize and its corresponding data so that everything else under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters remains as before.
Since Windows Server 2008 R2 reached to end of life in January 2020, security update seems available for those users who have purchase their premium addon service to use this operating system. For other users, they will not get an update directly hence they will have to use workaround as shown above. This is also alarming because if there is any vulnerability in future without any workaround, you will have no option. It is recommended to upgrade your operating system to Windows server 2012 R2 or higher as soon as possible. If you are planning to perform in-place upgrade, you can refer our KB Upgrade Windows Server 2008 R2 To Windows Server 2012 R2.
Important information about this workaround
TCP-based DNS response packets that exceed the recommended value will be dropped without error. Therefore, it is possible that some queries might not be answered. This could cause an unanticipated failure. A DNS server will be negatively impacted by this workaround only if it receives valid TCP responses that are greater than allowed in the previous mitigation (more than 65,280 bytes).
The reduced value is unlikely to affect standard deployments or recursive queries. However, a non-standard use-case may exist in a given environment. To determine whether the server implementation will be adversely affected by this workaround, you should enable diagnostic logging, and capture a sample set that is representative of your typical business flow. Then, you will have to review the log files to identify the presence of anomalously large TCP response packets.
For more information, see DNS Logging and Diagnostics.