On July 14, 2020, Microsoft released a security update for the issue described in CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability. This advisory describes a Critical Remote Code Execution (RCE) vulnerability that affects Windows servers that are configured to run the DNS Server role. We strongly recommend that server administrators apply the security update at their earliest convenience.
Is OpenDNS vulnerable to CVE-2020-1350?
Only the Windows DNS server application is vulnerable to CVE-2020-1350, as this exploit makes use of specific flaws in that application. The OpenDNS resolvers use a custom built DNS resolver, and they are able to properly handle SIG responses. As such, the OpenDNS resolvers are not themselves vulnerable to CVE-2020-1350.
You can read more about OpenDNS' response to CVE-2020-1350 on our blog:
https://umbrella.cisco.com/blog/cisco-umbrella-protects-against-sigred-cve-2020-1350
Can OpenDNS be used to mitigate against CVE-2020-1350?
OpenDNS resolvers will return a REFUSED response for any query with a query type of SIG. Additionally, the OpenDNS resolvers do not support records defined in RFC 2065 as security records and thus would not automatically include SIG records in a response for validation purposes. This is distinct from our support for DNSSEC as defined in RFCs 4033, 4034, 4035, and others which OpenDNS continues to support.
Additionally, Cisco Talos has released rules for Snort to match attacks targeting this vulnerability, which can be found here:
https://blog.snort.org/2020/07/snort-rule-update-for-july-14-2020.html
The OpenDNS team is actively monitoring for exploitation of this new vulnerability and will block any domains discovered. If you discover a domain attempting to abuse this technique please let us know by contacting our Support team at https://support.opendns.com or via email at <support@opendns.com>.