(Updated) Guidance for DNS security hardening changes in CVE-2024-37968

Message Center ID: MC860722
Windows
preventOrFixIssue
Admin impact
August 2024

Summary

Before the installation of Windows updates that were released on August 13, 2024, Windows Domain Name System (DNS) servers implicitly trusted the glue records. These records were used for recursion and to answer queries without first validating Name Server (NS) IP addresses (glue records). This default process will change once you install the updates released on or after August 13, 2024.When will this happen: Windows updates released on or after August 13, 2024 contain hardening protections for ...

Details

Before the installation of Windows updates that were released on August 13, 2024, Windows Domain Name System (DNS) servers implicitly trusted the glue records. These records were used for recursion and to answer queries without first validating Name Server (NS) IP addresses (glue records). This default process will change once you install the updates released on or after August 13, 2024.

When will this happen: 
Windows updates released on or after August 13, 2024 contain hardening protections for CVE-2024-37968 | Windows DNS Spoofing Vulnerability. These protections trigger DNS servers to validate glue records returned by a parent domain before first use. 
 
What you need to do to prepare: 
We recommend taking the following actions:​​​​​​​
  • Install the Windows update released on or after August 13, 2024.
  • Make sure glue records registered on a parent domain are valid and match the data that is provided by the authoritative name servers.
  • Remove or update stale glue records (outdated, inactive, or invalid IP addresses) to prevent DNS client queries from returning unexpected results.
  • Perform these validation actions for all domains in your environment. We recommend prioritizing validation of the external domains first and then the internal domains in your organization.

Additional information: 
The DNS Server Security hardening changes to address CVE-2024-37968 affect the following Windows versions:
  • Windows Server, version 23H2
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2 Service Pack 1
  • Windows Server 2008 SP2

Change History

Published: August 16, 2024
Last Updated: August 16, 2024
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

View Full Details Sign Up Free