13 Nov
Survey: One DNS server in 10 is ‘trivially vulnerable’
by Bryan Betts, IDG-News-Service/London-bureau
More than 10 percent of the Internet’s DNS (Domain Name System) servers are ever vulnerable to cache-poisoning attacks, according to a worldwide<a href=”http://dns.measurement-factory.com/surveys/200810.html”>survey of public-facing Internet nameservers</a>.
Related Servers Articles
Connect: How to add reticulated attached storage Survey: One DNS server in 10 is ‘trivially vulnerable’ IBM sues to block executive’s recommend to Apple MozyPro for Mac brings backup to business Intel’s six-core Dunnington chip hits the market
That’s despite it being several months since the vulnerabilities were disclosed and fixes made available, said DNS expert Cricket Liu, whose company, Infoblox, commissioned the annual survey.
“We estimate there’s 11.9 million nameservers out there, and over 40 percent let open recursion, so they take . queries from anyone. Of those, a deal out are not patched. So there’s 1.3 million nameservers that are trivially vulnerable,” said Liu, who is Infoblox’s vice president of architecture.
Other DNS servers may well allow recursion, but are not open-hearted to everyone, so they were not picked up by the inspection, he said.
Liu said the cache-poisoning vulnerableness, which is repeatedly named after Dan Kaminsky, the security researcher who published details of it in July, is genuine: “Kaminsky was exploited within days of being made public,” he said.
Modules targeting the vulnerability own been added to the hacking and penetration testing instrument Metasploit, for the sake of instance. Ironically, one of the first DNS servers compromised by a cache poisoning set upon was human being used by Metasploit’s author, HD Moore.
For now, the antidote to the cache-poisoning flaw is mien randomization. By sending DNS queries from varying source ports, this makes it harder for an attacker to guess which port to send poisoned data to.
However, this is only a influenced fix, Liu warned. “Port randomization mitigates the question end it doesn’t make an attack impossible,” he said. “It is really just a stopgap on the way to cryptographic checking, which is what the <a href=”http://www.dnssec.net/”>DNSSEC</a> security extensions do.
“DNSSEC is going to take a whole lot longer to implement though, as there’s a lot of infrastructure involved — key management, zone signing, public key signing, and so on. We thought we might see a noticeable uptake in DNSSEC adoption this year, but we saw singly 45 DNSSEC records out of a the multitude sample. Last year we saw 44.”
Liu said that on the positive side, the survey turned up several items of good news. For urgent solicitation, support for SPF — the sender policy framework, which combats e-mail spoofing — has risen over the last 12 months from 12.6 percent of the zones sampled to 16.7 percent.
In addition, the number of insecure Microsoft DNS Server systems connected to the Internet has dropped from 2.7 percent of the total to 0.17 percent. Liu notable that these systems could well still have being in use inside organizations, but said the prominent thing is that “people are shying away from connecting them to the Internet.”
Looking eager, Liu said that only organizations with a specific require in favor of open recursive DNS servers — and the technical ability to keep them from being flooded — should run them.
“I would love to see the percentage of open recursive servers go down, because even if they’re patched they make eminent amplifiers instead of denial-of-service attacks,” he said. “We can’t get rid of recursive servers, but you don’t have to allow just anyone to use them.”
