DNS Security Makes Strides, but Challenges Remain

An annual survey from Infoblox and The Measurement Factory found that many external name servers are still open to recursion, a fact that leaves them vulnerable to being used to launch DDoS attacks. However, the survey also shows a growing interest in DNSSEC.

A new survey painted a picture of domain name server security that was both troubling and hopeful.

According to research released by Infoblox and The Measurement Factory, there has been a dramatic increase in the percentage of external name servers that are open to recursion. The study put the latest figure at 79.6 percent, a 27 percent increase from 2007.

"This year's survey is a Pandora's box of both frightening and hopeful results," commented Cricket Liu, vice president of architecture at Infoblox, in a statement. "Of particular interest is the enormous growth in the number of Internet-connected name servers, largely attributable to the introduction by carriers of customer premises equipment (CPE) with embedded DNS functionality. This equipment represents a significant risk to the rest of the Internet, as without proper access controls, it facilitates enormous DDoS attacks."

The survey was based on a sample that included 5 percent of the IPv4 address space. All totaled, Infoblox estimates there are 16.3 million name servers on the Internet-a 40 percent increase compared with 2007.

Despite the figures regarding recursion, the news from the survey was not all bad. The percentage of zones with one or more name servers open to zone transfers decreased to 16 percent from 31 percent in 2008. In an interview with eWEEK, Liu said the improvement indicated administrators are paying closer attention to security risks and the configuration of their name servers.

The number of DNSSEC signed zones increased by roughly 300 percent-indicating that DNSSEC is gaining momentum.

However, Liu told eWEEK that in raw numbers the amount of DNSSEC signed zones is miniscule next to the total number of zones out there. In 2008, researchers found that 45 subzones out of a roughly million-zone sample were signed. The recent survey put the number at 167. Still, it showed there is an interest in deploying DNSSEC, he contended.

"I am pleased to see the adoption of DNSSEC accelerating, and I hope to see this number increase substantially in the next year as more top-level zones are signed and as simplified ... help automate management of signed zones," Liu said in the statement.