Microsoft — CVE-2020-1350
This update resolves a flaw in all versions of Windows DNS Servers that would allow an attacker to gain Local System or Domain Admin privileges. This is also a wormable vulnerability, so make sure you patch all your Windows DNS Servers. Keep in mind that in most environments 99% of the Domain Controllers also run the DNS role so it is imperative that you patch your systems ASAP!
In addition, the PoC published by CheckPoint allows the ability to successfully gain Domain Admin rights when visiting a website with malicious code embedded when using Internet Explorer. The same tests did not work in either FireFox and Google Chrome as they prohibit DNS requests in this fashion.
@echo off reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f net stop DNS && net start DNS exit