Microsoft Corporation Information for VU#109475

Microsoft Windows NT and 2000 Domain Name Servers allow non-authoritative RRs to be cached by default

Status

Affected

Vendor Statement

Like [CERT] noted, this issue is addressed by a configuration change in
the registry, as noted at:

http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP

That configuration change addresses the issue that this [note] is
reporting.


Currently, this is configuration setting is set to disabled by
default, based on the performance penalties this introduces.
However, we are making performance improvements and we are planning
to change this default so that this is enabled by default starting
with Service Pack 3 and with Windows .Net Server.

We believe that this is a configuration issue rather than a
vulnerability.  The means to change this behavior is publicly
documented and has been available via the KB article. Because there
is a performance penalty with this change currently, customers have
to make an informed risk assessment of the benefits of enabling this
feature and the drawbacks.  We're working to improve the performance
to a point where we feel comfortable making this enabled by default.
However, this change is a change in configuration settings and not a
change in the product itself.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

Please see additional information at:
http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_pro_SecureCachePollutedNames.htm
http://msdn.microsoft.com/library/en-us/regentry/46753.asp

If you have feedback, comments, or additional information about this vulnerability, please send us email.