Microsoft recently reported a nasty RPC related DNS exploit that can disable or allow complete control of computers that have Microsoft DNS services running on them. You can see a detailed description of the problem in George Ou‘s blog at http://blogs.zdnet.com/Ou/?p=472
My first thought about the problem was that its not really a problem for well designed networks that use perimeterization and least privilege. For example, your DNS advertisers should be located in an anonymous access DMZ where only RDP access would be allowed from a management station on the corpnet and only inbound DNS would be allowed from the Internet. In this scenario, the DNS advertisers are completely protected from this exploit and there’s really nothing you need to do.
I automatically applied this type of thinking to internal network perimeter segments, that is to say, internal network services segments, which are protected from the corpnet and therefore shouldn’t be exposed to the nastiness installed on users’ computers. However, after discussing this situation with George Ou last week, it came to mind that if Active Directory integrated DNS is enabled on the corpnet (as it should be), then even if you have your domain controllers on a network services segment, you still might not be protected.
The reason for this is that you need to enable RPC access from user computers to domain controllers, as it’s one of the requirements for log on to have access to the RPC endpoint mapper. Since we can’t block this communication through the perimeter ISA Firewall, the domain controller with AD integrated DNS is at great risk. Therefore, you’ll need to carry out the fixes mentioned in George’s article.
I do think that we could use the ISA Firewall to protect our AD integrated DNS servers from this exploit, but we would need to know the specific UUIDs required by the exploit, and this isn’t something that MS or anyone else is able to share with us at this time. Actually, if we knew the AD related UUIDs, we could limit log on traffic to that, but we don’t know those either, so once again, we don’t have enough information to put the ISA Firewall to full use in protecting us from this exploit.
Bottom line: if you have AD integrated DNS servers, apply the fixes noted by George Ou. If you have isolated DNS advertisers and resolvers, use least privilege and don’t worry about it.