Security Watch | Matt Hines » Most DNS servers remain vulnerable to exploit

November 20, 2007 | Comments: (0)

Most DNS servers remain vulnerable to exploit

TAGS: Security

A study into the current state of domain name server (DNS) security finds that while the sheer number of systems connecting to the Internet continues to grow quickly, most administrators are still failing to protect their assets.

According to the third annual survey -- based on wide sample testing carried out by network security appliance vendor Infoblox and the Measurement Factory -- the sheer volume of DNS servers connected to the Net increased to 11.5 million systems, up from 9 million in 2006.

And while a good number, some 65 percent of the 80 million or so DNS servers tested, have already been update to BIND 9 the latest version of the popular domain name system software, over 50 percent of the servers were configured to allow recursive queries, a common method for carrying-out spam-feeding pharming attacks.

In addition, even though a far greater number of DNS servers that were tested are running BIND 9 -- which Infoblox experts cited as a significant benefit to overall security, based on the new platform's proposed architectural and security improvements -- less than one percent of the systems that were studied supported DNSSEC (DNS Security Extensions), one of the biggest security features boasted in the BIND 9 update.

In another worrisome finding, the study reports that the number of DNS servers it surveyed that still allow zone transfers to arbitrary requestors increased, rising to 31 percent in 2007 up from 29 percent one year ago.

As Infoblocs explains in the report, "allowing zone transfers to arbitrary queries enables duplication of an entire segment of an organization’s DNS data from one DNS server to another and can leave them as easy targets for denial-of-service attacks."

So, even if a lot more people are using BIND 9, they're failing to utilize some of the most powerful methods for putting an end to DNS cache-poisoning and a number of other popular attack vectors.

"It's certainly a mixed bag, but we've made some important progress, I thought that it would have been harder to get so many people to move to BIND 9 than it might be to do some other work, because it's an involved process," said Cricket Liu, vice president of architecture at Infoblox.

Liu said that many of the recursive query and zone transfer issues could be addressed far more easily than it might have been for admins to make the move to BIND 9.

"The fact that so many domain servers are allowing recursive queries says to me that people still just don't understand the risks," he said. "But overall, it's mostly encouraging because some of the things that need to be done are not hard to do, they simply require some reconfiguration, not a wholesale upgrade."

Unfortunately, the expert believes that much as with other vulnerabilities, the remaining DNS server security issue won't be addressed by many organizations until there is another major attack that takes advantage of the weakness.

In other findings, the report said that use of the Microsoft's DNS Server software fell by nearly 50 percent, and now only accounts for 2.7 of the servers tested in the survey. Liu attributed that trend to major concerns over security holes known to exist in the software that have been previously assailed by attackers.

In one piece of news that does improve the outlook for slowing spammers, the primary beneficiaries of vulnerable DNS servers, the report said that use of the Sender Policy Framework (SPF) e-mail authentication standard increased to 12.6 percent in 2007 compared to only 5 percent last year.

The key issue in getting effort like SPF to succeed is attracting a large base of end users, Liu observed.

"One year ago you only had a one-in-twenty chance of being able to check the information for domain name using SPF, and now it is one-in-eight, that certainly bodes well for SPF's success," he said. "It's key to build a critical mass."

Posted by Matt Hines on November 20, 2007 12:59 PM

RATE THIS ARTICLE: