An annual survey from Infoblox and The Measurement Factory found that many external name servers are still open to recursion, a fact that leaves them vulnerable to being used to launch DDoS attacks. However, the survey also shows a growing interest in DNSSEC.
survey painted a picture of domain name server security that was both troubling
to research released by Infoblox and The Measurement Factory, there has been a
dramatic increase in the percentage of external name servers that are open to
recursion. The study put the latest figure at 79.6 percent, a 27 percent
increase from 2007.
year's survey is a Pandora's box of both frightening and hopeful results,"
commented Cricket Liu, vice president of architecture at Infoblox, in a
statement. "Of particular interest is the enormous growth in the number of
Internet-connected name servers, largely attributable to the introduction by
carriers of customer premises equipment (CPE) with embedded DNS
functionality. This equipment represents a significant risk to the rest of
the Internet, as without proper access controls, it facilitates enormous DDoS
The survey was based on a sample that included 5 percent of
the IPv4 address space. All totaled, Infoblox estimates there are 16.3
million name servers on the Internet-a 40 percent increase compared with 2007.
figures regarding recursion, the news from the survey was not all
bad. The percentage of zones with one or more name servers open to zone
transfers decreased to 16 percent from 31 percent in 2008. In an
interview with eWEEK, Liu said the improvement indicated
administrators are paying closer attention to security
and the configuration of their name servers.
increased by roughly 300 percent-indicating that DNSSEC is
Liu told eWEEK that in raw numbers the amount of DNSSEC signed zones is
miniscule next to the total number of zones out there. In 2008, researchers
found that 45 subzones out of a roughly million-zone sample were signed. The
recent survey put the number at 167. Still, it showed there is an interest in
deploying DNSSEC, he contended.
"I am pleased to see the adoption of DNSSEC accelerating,
and I hope to see this number increase substantially in the next year as more
top-level zones are signed and as simplified ... help automate management of
signed zones," Liu said in the statement.