Survey: One DNS server in 10 is 'trivially vulnerable'

IDG News Service - More than 10% of the Internet's DNS servers are still vulnerable to cache-poisoning attacks, according to a worldwide survey of public-facing Internet nameservers.

That's despite it being several months since the vulnerabilities were disclosed and fixes made available, said DNS expert Cricket Liu, whose company, Infoblox, commissioned the annual survey.

"We estimate there's 11.9 million nameservers out there, and over 40% allow open recursion, so they accept queries from anyone. Of those, a quarter are not patched. So there's 1.3 million nameservers that are trivially vulnerable," said Liu, who is Infoblox's vice president of architecture.

Other DNS servers may well allow recursion, but are not open to everyone, so they were not picked up by the survey, he said.

Liu said the cache-poisoning vulnerability, which is often named after Dan Kaminsky, the security researcher who published details of it in July, is genuine: "Kaminsky was exploited within days of being made public," he said.

Modules targeting the vulnerability have been added to the hacking and penetration testing tool Metasploit, for instance. Ironically, one of the first DNS servers compromised by a cache-poisoning attack was one used by Metasploit's author, HD Moore.

For now, the antidote to the cache-poisoning flaw is port randomization. By sending DNS queries from varying source ports, this makes it harder for an attacker to guess which port to send poisoned data to.

However, this is only a partial fix, Liu warned. "Port randomization mitigates the problem, but it doesn't make an attack impossible," he said. "It is really just a stopgap on the way to cryptographic checking, which is what the DNSSEC security extensions do.

"DNSSEC is going to take a whole lot longer to implement, though, as there's a lot of infrastructure involved -- key management, zone signing, public key signing and so on. We thought we might see a noticeable uptake in DNSSEC adoption this year, but we saw only 45 DNSSEC records out of a million sample. Last year we saw 44."

Liu said that the survey also turned up several items of good news. For instance, support for SPF -- the sender policy framework, which combats e-mail spoofing -- has risen over the last 12 months from 12.6% of the zones sampled to 16.7%.

In addition, the number of insecure Microsoft DNS Server systems connected to the Internet has dropped from 2.7% of the total to 0.17%. Liu noted that these systems could well still be in use inside organizations, but said the important thing is that "people are shying away from connecting them to the Internet."

Looking forward, Liu said that only organizations with a specific need for open recursive DNS servers -- and the technical ability to keep them from being flooded -- should run them.

"I would love to see the percentage of open recursive servers go down, because even if they're patched they make great amplifiers for denial-of-service attacks," he said. "We can't get rid of recursive servers, but you don't have to allow just anyone to use them."