Survey: One DNS server in 10 is 'trivially vulnerable'
More than a million at potential risk
November 10, 2008 12:00 PM ETIDG News Service - More than 10% of the Internet's DNS servers are still vulnerable to cache-poisoning attacks, according to a worldwide survey of public-facing Internet nameservers.
That's despite it being several months since the vulnerabilities were disclosed and fixes made available, said DNS expert Cricket Liu, whose company, Infoblox, commissioned the annual survey.
"We estimate there's 11.9 million nameservers out there, and over 40% allow open recursion, so they accept queries from anyone. Of those, a quarter are not patched. So there's 1.3 million nameservers that are trivially vulnerable," said Liu, who is Infoblox's vice president of architecture.
Other DNS servers may well allow recursion, but are not open to everyone, so they were not picked up by the survey, he said.
Liu said the cache-poisoning vulnerability, which is often named after Dan Kaminsky, the security researcher who published details of it in July, is genuine: "Kaminsky was exploited within days of being made public," he said.
Modules targeting the vulnerability have been added to the hacking and penetration testing tool Metasploit, for instance. Ironically, one of the first DNS servers compromised by a cache-poisoning attack was one used by Metasploit's author, HD Moore.
For now, the antidote to the cache-poisoning flaw is port randomization. By sending DNS queries from varying source ports, this makes it harder for an attacker to guess which port to send poisoned data to.
However, this is only a partial fix, Liu warned. "Port randomization mitigates the problem, but it doesn't make an attack impossible," he said. "It is really just a stopgap on the way to cryptographic checking, which is what the DNSSEC security extensions do.
"DNSSEC is going to take a whole lot longer to implement, though, as there's a lot of infrastructure involved -- key management, zone signing, public key signing and so on. We thought we might see a noticeable uptake in DNSSEC adoption this year, but we saw only 45 DNSSEC records out of a million sample. Last year we saw 44."
Liu said that the survey also turned up several items of good news. For instance, support for SPF -- the sender policy framework, which combats e-mail spoofing -- has risen over the last 12 months from 12.6% of the zones sampled to 16.7%.
In addition, the number of insecure Microsoft DNS Server systems connected to the Internet has dropped from 2.7% of the total to 0.17%. Liu noted that these systems could well still be in use inside organizations, but said the important thing is that "people are shying away from connecting them to the Internet."
Looking forward, Liu said that only organizations with a specific need for open recursive DNS servers -- and the technical ability to keep them from being flooded -- should run them.
"I would love to see the percentage of open recursive servers go down, because even if they're patched they make great amplifiers for denial-of-service attacks," he said. "We can't get rid of recursive servers, but you don't have to allow just anyone to use them."
Reprinted with permission from
Story copyright 2009 International Data Group. All rights reserved.
Cache-poisoning attacks
Additional Resources



White Papers & Webcasts
Death to PST Files
Download Now
Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!
A Green Architectural Strategy That Puts IT in the Black
Levergage green computing across your data center. Read more now.
Manager Experience Demo
Go beyond self-service solutions to perform more effectively. Watch Now.
Quantifying the Business Value of VMware View
Learn why you should invest in a centralized virtual desktop.
WAN Optimization as a Managed Service: More than Network Cost Savings
View this Webcast Now!
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
Asia-Pacific Enterprise Network Solutions
Learn through this Webcast how your business can achieve reliability, performance and value in hard-to-reach locations within the Asia-Pacific region.
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Mainsoft Webcast w/ Forrester Research: Drive SharePoint Adoption in Lotus Notes Shops
How can you drive mainstream user adoption of Microsoft SharePoint when your users rely on Lotus Notes?
Computerworld Reports
Disaster Recovery & Cost Savings Zone
Thousands of customers world-wide have turned to virtualization solutions from Riverbed as a way to reduce costs.

