Research performed by The Measurement Factory uncovered 25 percent of DNS servers still have not been fixed to address the DNS flaw publicized by security researcher Dan Kaminsky and others earlier this year. A separate study found that many companies feel they don't have the resources or the expertise to address the issue.
New research offers a peak into the state of security of domain
name server security - and it's not all pleasing to the eye.
In an annual study
domain name servers (DNS) connected to the Internet by The Measurement
Factory, it was uncovered that roughly one in four DNS servers does not
perform source port randomization, despite the publicity surrounding
the DNS vulnerability reported
by security researcher Dan Kaminsky earlier this year.
The study, which was sponsored by Infoblox, also found that
more than 40 percent of Internet name servers allow recursive queries.
With the study estimating 11.9 million name servers are reachable from
the Internet, the percentages means millions of name servers may be
open to cache poisoning and distributed denial of service attacks.
"The danger of offering recursive queries is that a malicious user
can effectively trick a DNS server into looking up the wrong data and
then that same server will cache that bad data and then serve that bad
data to other users," explained Paul Parisi, CTO of DNSstuff. "So,
allowing public users to execute recursive queries against your name
server is bad."
However, the same issues still exist for private users of that same server, he added.
"A -bad' user on the private -authorized' list executing recursive
queries, whether they are deliberately malicious or subject of a
Trojan, can have the same negative outcome - having the server limited
to whom it may serve recursive queries simply diminishes your exposure
to a smaller set of users," Parisi said.
These issues are exacerbated, he continued, for domain owners when
their SOA (start of authority) name servers are also open to recursive
queries. In that scenario, a domain's SOA server could be corrupted by
sending malicious recursive queries to that server - in effect taking
away the only available source of authority.
New research by DNSstuff echoed the findings of The Measurement
Factory study. According to DNSstuff, roughly 31 percent of the
466 participants either had not patched Kaminsky's vulnerability or
were unsure if it was fixed. More than 45 percent said they lacked the
in-house resources to complete the task.
"That's pretty amazing, especially given the level of coverage that
there was," Parisi said. "When asked why their DNS servers were not
patched, the biggest reason cited...was no internal resources. So they
understood it, they knew what it was, but they didn't have the
resources to do it."
Another 30 percent were unaware of the vulnerability, while 24
percent felt they lacked the DNS expertise to address the
issue, according to the DNSstuff study.
There is good news, however. According to The Measurement Factory
study, adoption of the sender policy framework (SPF) is on the rise.
Between 2006 and 2007, adoption grew from about 5 percent of the zones
to about 12.6 percent. In 2008, it increased to 16.7 percent.
SPF is an extension of SMTP that aids in e-mail authentication.
"This [increase] is all almost a grassroots thing," said Cricket
Liu, vice president of architecture at Infoblox. "There's no systematic
setting up of SPF. Individual administrators of zones have to go to the
trouble of inserting text records or specially formatted SPF records to
get this stuff going. So it's pretty encouraging to see that now one
out of six subzones of common net use SPF."