
Emergency Directive 20-03 – Remote code execution vulnerability in Windows DNS - PatrolX
https://cyber.dhs.gov/ed/20-03/
======
rsync
This isn't snark - I am serious.

Who would be running a DNS server on a Windows system ?

Why would they be doing such a thing ? What is the thinking here ? I
understand running windows-specific infrastructure like an AD server or a PDC
or whatever but ... a DNS server ?

~~~
jlgaddis
You do understand that the corporate world runs on Microsoft Windows and
Active Directory, right?

DNS is an absolutely critical component of Active Directory (there's even an
old joke that, when dealing with Active Directory issues, "it's always DNS").

In an AD environment, clients are almost always configured to use Windows DNS
servers as their DNS servers, with the Windows DNS servers then performing
forwarding (of any unanswerable queries) on their behalf. This way is, by far,
a helluva lot easier.

You _could_ have non-Microsoft DNS servers that slave the zones from the
Windows DNS servers and point the clients at those.

You can even go a step further and avoid using Microsoft DNS entirely. Despite
what some people (even some here, apparently), you absolutely _CAN_ run Active
Directory _without_ using Microsoft DNS _at all_ (although there _are_ several
advantages to using Microsoft DNS)! BIND, for instance, can be used instead of
Microsoft DNS. It completely supports all the features that are needed for
Active Directory -- in fact, it provides a number of additional features that
are often "nice to have" as well.

Because it is a PITA to set up and support, though, these type of deployments
are fairly uncommon. In most cases, it's much "easier" to just use Microsoft
DNS (which can be installed and set up for you automatically when first
deploying Active Directory) -- especially when the folks managing Active
Directory don't really have a great understanding of DNS itself. For example,
I imagine the average Windows administrator would be completely dumbfounded if
you asked them to hand-edit a BIND zone file! Instead, with Microsoft DNS,
they can just point and click their way around.

This, of course, leaves out all discussion of DHCP which (in a corporate
Windows environment) is pretty much always required as well. Running all of
this on Windows means you don't have to deal with integrating all of the
various pieces yourself.

~~~
EvanAnderson
A "win" w/ Active Directory-based DNS servers (and storing the DNS records
within Active Directory) is that you get replication between the DNS servers
by way of AD replication "for free". There's a certain component of "snake
eating its own tail" to it, insofar as you have to bootstrap new Domain
Controller computers by having them use another DNS server while they pull
their initial replica. Active Directory-integrated DNS gets you per-record
ACLs to authenticate dynamic updates, too.

~~~
jlgaddis
Yeah, there are certainly numerous benefits of AD-integrated DNS, such as
built-in zone replication via AD replication, secure dynamic updates, updates
can be made on any DNS server (e.g., "multi-master"), DHCP integration, and
probably several others I'm forgetting at the moment.

At least some of these are available in other DNS servers as well but I'd
certainly agree that AD-integrated DNS is much easier to deploy, manage and
maintain.

~~~
aarmenaa
> updates can be made on any DNS server (e.g., "multi-master")

This cannot be overstated. I'm currently in the process of trying to
rehabilitate an existing DNS infrastructure based on BIND, and it is a
complete disaster. All the "high availability" stuff is focused around
replicating zone databases from a single master to many slaves, which will
indeed continue answering queries even if the master is down. It appears there
is basically zero concern for ensuring that updates will continue to be
accepted and distributed to slaves if the master fails. The documentation
doesn't address it, and none of the many conversations I found through Google
had good answers. I have no idea how large DNS installations are built on this
software.

~~~
swiley
Bind can have multiple master servers. I don’t understand why it wouldn’t
continue answering queries when the master is down either, you only need the
master to answer IXFR/AXFR. Maybe your SOA has some really short times in it?
I’m not great with bind but I’ve been doing a lot with it lately (using it to
feed large DNS servers) so you’re welcome to email me if you want help.

------
PatrolX
Cybersecurity and Infrastructure Security Agency

Report (PDF) :

[https://cyber.dhs.gov/assets/report/ed-20-03.pdf](https://cyber.dhs.gov/assets/report/ed-20-03.pdf)

------
Neil44
Even if your Windows DNS is not exposed to the internet, it means that anyone
getting a device on your WAN can get windows domain admin.

