Small Business at Risk
That means the DNS servers of small businesses are especially at risk. One of the few legitimate organizations running periodic BIND queries is Men & Mice, a Reykjavik, Iceland, DNS management software company that publishes the International Domain Health Survey. One day after the Jan. 29 CERT alert, it took a snapshot that showed one-third of the Fortune 1000 had at least one faulty version of BIND on a DNS server, said Petur Petursson, chief executive of Men & Mice. Three weeks later, that figure had dropped to one-eighth of the Fortune 1000, he said, indicating a rapid upgrade at large companies on the heels of the CERT announcement.
Petursson, however, said he doubts small businesses and nonprofits upgraded their sites as quickly.
At many smaller organizations, DNS servers were set up by outside consultants or by an information technology (IT) staffer who eventually departed for another job, Dunphy said. Once set up, DNS servers tend to run themselves without further assistance and eventually become "a dust-covered server in a closet that nobody knows about," he said.
Its possible for an administrator of a Web site to read news of a CERT BIND alert and say, "Thank goodness we dont have any of those on our network," when, in fact, he or she does, Dunphy said.
When asked why more system administrators dont upgrade BIND on their DNS servers, ISCs Vixie said it is purely their option to do so. The ISC does not monitor BIND users or notify them of changes. Registering BIND users is contrary to the concept of freely available software as open source code, he added. The only requirement asked of a downloader is "to use it in good health," he said. Vixie said BIND users may sign up for a newsletter that fills them in on patches and when upgrades are available, but fewer than 500 have done so. He estimated there are at least 30,000 administrators of DNS servers who would need to be notified.
Creating a central registry is more difficult than it sounds, since not all copies of BIND are distributed through the ISC site. BIND is included in each of the major versions of Unix, such as IBMs AIX, Hewlett-Packards HP-UX and Sun Microsystems Solaris, as well as in the products of some firewall makers, like Secure Computings Sidewinder. Their BIND versions are updated conscientiously but may still lag discovery of new holes by two to three months, Dunphy said.
And once a hole is identified, it is extremely difficult for operating system or firewall users to apply patches or implement upgraded versions of BIND on their own. Users would not generally upgrade BIND as a separate component unless the vendor of their operating system or firewall software sent a patch. And even upgrading the DNS server with a patch requires extensive testing to make sure the patch doesnt disrupt something else, he added.