Severe/Critical vulnerability in Windows DNS. Severe enough that DHS CISA is classifying it a level 10 (out of 10). A quick workaround is mentioned in the Microsoft link below:
To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet that’s allowed:
Value data: 0xFF00
- The default (also maximum) Value data = 0xFFFF.
- The recommended Value data = 0xFF00 (255 bytes less than the maximum).
- You must restart the DNS Service for the registry change to take effect. To do this, run the following command at an elevated command prompt:
net stop dns && net start dns
After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients if the DNS response from the upstream server is larger than 65,280 bytes.