[ISN] Are your servers vulnerable to DNS attacks?

From: InfoSec News (alerts@private)
Date: Wed Nov 21 2007 - 00:06:07 PST


By Denise Dubie

More than half of Internet name servers today allow requests that leave 
networks vulnerable to cache poisoning and distributed denial of service 
attacks -- a fact that has not improved over the past year.

The finding is part of the third annual survey of the Internet’s domain 
name servers released this week by The Measurement Factory, which 
conducted the survey for DNS management appliance maker Infoblox. The 
survey is based on a sample that included 5% of the IPv4 address space 
-- nearly 80 million devices -- and works to reveal configuration errors 
that compromise network security and availability.

DNS servers are an oft-neglected but essential part of the 
infrastructure that map domain names, such as www.networkworld.com into 
an IP address like If DNS doesn’t work, then it appears 
the network is down. DNS servers perform domain name resolution to 
fulfill Internet requests, and in turn, when DNS fails so does e-mail, 
Web access and more.

Filed under bad news, more than 50% of Internet name servers "allow 
recursive queries," which is unchanged from 2006, and such queries 
require a name server to relay requests to other name servers. That 
action leaves many name servers vulnerable to pharming attacks, 
according to Infoblox, which can also enable those servers to be used in 
DNS amplification attacks.

"Even with the growing adoption of more secure DNS systems, compromises 
to these systems are still occurring and organizations need to pay more 
attention to configurations and deployment architectures that are 
leaving their DNS infrastructures vulnerable to attacks and outages," 
said Cricket Liu, vice president of architecture at Infoblox, in a 

More bad news comes in the form of DNS servers allowing "zone transfers 
to arbitrary requestors" grew 2% in 2007 to 31%. Allowing such transfers 
can enable duplication of an entire segment of DNS data from one server 
to another and make the system susceptible to a DDoS attack. The study 
also found that 75% of those surveyed machines remain misconfigured, 
which can cause service outages.

Yet the survey revealed some positive findings as well. According to the 
results, BIND 9 usage grew from 4% in 2007 to 65%, which indicates more 
enterprise companies are putting the most recent and secure version of 
the open-source domain name server software in place. At the same time, 
BIND 8 usage decreased by 5.6%. And the findings indicate that usage of 
Microsoft DNS Server has decreased consistently over time. In 2005, 10% 
of DNS servers surveyed used Microsoft; in 2006 5% used it; and in 2007, 
about 2.7% had Microsoft DNS Server in place.

"For the overall security of the Internet, it is good to see movement 
aware from Microsoft DNS Servers for external DNS as well as a growing 
trend to use the most recent versions of BIND, which are more secure," 
Liu said.

All contents copyright 1995-2007 Network World, Inc

Visit InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Nov 21 2007 - 00:15:32 PST