none
Hotfix MS16-071 breaks DNS on Windows 2012R2 DNS Server RRS feed

  • Question

  • We use DNS DNAME records to force safe searches in Google & Bing. See picture below

    After applying Security Update MS16-071 on the DC, all DNS requests for www.google.com fail

    If I remove the MS16-071 Hotfix, everything works again!!!

    Has anyone else seen this and if someone from Microsoft is looking, can you get this fixed.

    Steve (Not a happy punter)


    • Edited by SteveT13 Tuesday, June 21, 2016 2:01 PM
    Tuesday, June 21, 2016 1:59 PM

Answers

  • As per of RFC 6672 this is the expected behavior when a QNAME matches the owner DNAME.

    QNAME                owner  DNAME   target         result
        ----------------    -------------- -------------- -----------------
        com.                  example.com.   example.net.   <no match>
        example.com.     example.com.   example.net.   [0]

    [0] The result depends on the QTYPE.  If the QTYPE = DNAME, then  the result is "example.com.", else "<no match>".

    In your case you have

    www.google.com DNAME forcesafesearch.google.com

    and when a query comes for www.google.com(QNAME), since it matches the owner DNAME(www.google.com), DNAME substitution is not done.
    This change was taken recently in Windows DNS Server.

    Wednesday, June 22, 2016 8:30 PM

All replies

  • Hi,

    >>After applying Security Update MS16-071 on the DC, all DNS requests for www.google.com fail

    Considering it is a fresh update,there is a workaround,you could create a new zoon named 'google.com',add an A record for forcesafesearch.google.com, then add a CNAME record named www pointing to forcesafesearch.google.com.

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, June 22, 2016 5:08 AM
  • Hi Cartman,

    I'm afraid the solution you proposed has majord flaws. If I createa a new zone as you suggest, all other DNS queries to google.com fail (i.e. NS1.google.com). Please see the following pictures

    What I have done is create a pinpoint DNS entry for www.google.com and added a host entry IP address matching the IP address of forcesafesearch.google.com. See below:

    I DO NOT consider this a permanent solution, as I have now HARD CODED the IP address. If google/bing change their IP address of their safe searching sites, this method will break. It just adds to the admin overhead.

    If you work for Microsoft, please can you feed this issue back to the code developers and ask them to fix the initial issue I described

    Cheers, Steve

    Wednesday, June 22, 2016 7:43 AM
  • Hi,

    >>If you work for Microsoft, please can you feed this issue back to the code developers and ask them to fix the initial issue I described

    You could feedback on the bottom of the link:

    https://support.microsoft.com/en-us/kb/3164065

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, June 22, 2016 8:20 AM
  • As per of RFC 6672 this is the expected behavior when a QNAME matches the owner DNAME.

    QNAME                owner  DNAME   target         result
        ----------------    -------------- -------------- -----------------
        com.                  example.com.   example.net.   <no match>
        example.com.     example.com.   example.net.   [0]

    [0] The result depends on the QTYPE.  If the QTYPE = DNAME, then  the result is "example.com.", else "<no match>".

    In your case you have

    www.google.com DNAME forcesafesearch.google.com

    and when a query comes for www.google.com(QNAME), since it matches the owner DNAME(www.google.com), DNAME substitution is not done.
    This change was taken recently in Windows DNS Server.

    Wednesday, June 22, 2016 8:30 PM
  • I'll +1 this.  I manage the network for a K-12 school district and use DNAME records to enforce Google safe search on all devices connected to our network, including BYOD.  Worked beautifully until this hotfix.

    - Mike

    Tuesday, July 12, 2016 6:30 PM
  • I too have the same issue and same need- I manage K-12, and the DNAME is critical for Google Safe Search and for redirecting Youtube traffic to Restricted mode for BYOD devices. 

    I've had to resort to A records in the meantime, since removing the Hotfix both doesn't appear to work and isn't a great idea in general. 

    If anyone comes up with a way to get DNAMEs working again that would be great. 

    -Charles


    Monday, August 22, 2016 10:48 PM
  • When you make this A record change what about google sub domains? drive.google.com, sites.google.com and others? Did you create separate pointers for them as well?
    Monday, December 18, 2017 5:01 AM