How to block Microsoft DNS exploit

What can be done to minimize exposure to the current Windows DNS server exploit while we wait for an effective patch?

Those running Windows DNS Server services should check whether the service is configured to accept Remote Procedure Call requests and disable them if possible. The SANS Institute Internet Storm Center reports that new variants of the Rinbot worm are actively scanning RPC/DNS Port 1025 to identify targets against which to attempt to perform a Windows DnsservQuery to exploit the DNS RPC vulnerability. Microsoft recommends disabling remote management over RPC for the DNS server by modifying the registry, blocking unsolicited inbound traffic on ports 1024-5000 using a firewall, and enabling the advanced TCP/IP filtering options on outward-facing interfaces. I used this opportunity to replace the Microsoft DNS server with the latest version of the Berkeley Internet Name Domain, BIND 9.4 from the Internet Software Consortium. Windows is officially supported in the latest releases of BIND, and there are compiled binary distributions available for download. BIND supports all the record types required by Windows and provides better dynamic DNS handling, which results in fewer unnecessary DNS lookups and slightly better overall network performance. If you can't disable or block the RPC/DNS ports, restarting the Windows DNS Server service regularly may provide some relief while waiting for the next Microsoft patch.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

What can be done to minimize exposure to the current Windows DNS server exploit while we wait for an effective patch?

Those running Windows DNS Server services should check whether the service is configured to accept Remote Procedure Call requests and disable them if possible. The SANS Institute Internet Storm Center reports that new variants of the Rinbot worm are actively scanning RPC/DNS Port 1025 to identify targets against which to attempt to perform a Windows DnsservQuery to exploit the DNS RPC vulnerability. Microsoft recommends disabling remote management over RPC for the DNS server by modifying the registry, blocking unsolicited inbound traffic on ports 1024-5000 using a firewall, and enabling the advanced TCP/IP filtering options on outward-facing interfaces. I used this opportunity to replace the Microsoft DNS server with the latest version of the Berkeley Internet Name Domain, BIND 9.4 from the Internet Software Consortium. Windows is officially supported in the latest releases of BIND, and there are compiled binary distributions available for download. BIND supports all the record types required by Windows and provides better dynamic DNS handling, which results in fewer unnecessary DNS lookups and slightly better overall network performance. If you can't disable or block the RPC/DNS ports, restarting the Windows DNS Server service regularly may provide some relief while waiting for the next Microsoft patch.

Read more about security in Network World's Security section.