Last week, Microsoft announced a new vulnerability in RPC on Windows DNS server which may allow remote code execution. For further details, please see related Microsoft Security Advisory 935964. This security flaw affects DNS server service in Microsoft Windows 2000 Server Service Pack 4, Windows 2003 Server Service Pack 1, and Windows 2003 Server Service Pack 2. More discussion on the topic can be found from Diary Archive at SANS Internet Storm Centre:

• “More info on the Windows DNS RPC interface vulnerability” by Kyle Haugsness
• “Microsoft Vulnerability in RPC on Windows DNS Server” by Scott Fendley
• “Update on Microsoft DNS vulnerability” by Maarten Van Horenbeeck

Generally speaking, one of the underlying problems behind vulnerabilities such as this is the fact that many organizations operate their DNS service on a server that offers a number of other network services in addition to DNS. This is rather problematic because the approach doesn’t allow the servers to be hardened for a specific task (e.g. DNS) which makes them vulnerable to a larger number of security flaws.

This is one of the primary reasons why Nixu Software as well as the SANS Institute recommends that public DNS service should be run on dedicated, hardened servers that are purpose-built for DNS. While this deployment strategy may have been cost-prohibitive previously due to the larger number of physical servers that were required for the deployment, virtualization technologies now allow pretty much all organizations to set up dedicated virtual machines that can be used to run e.g. the DNS service.

If you would like to try out virtualized DNS in your organization, please download Nixu Secure Name Server (SNS) for free evaluation today. The ISO image that you download contains the entire software stack from O/S (hardened CentOS) to application. As you boot up a clean virtual machine with our ISO image, the package auto-installs a secure, dedicated DNS server in just 10 minutes. At $495 (US) per server per year, installing secure DNS servers has never been this easy or cost-efficient.