DNS Survey Finds Widespread Vulnerability

Many of the servers that were tested are vulnerable because they were enabled to provide unrestricted recursive name services, Infoblox Inc. says.

In a security survey of some 1.3 million DNS servers, an Internet measurement firm found that as many as 84 percent of those servers could be susceptible to pharming attacks.

The vulnerabilities come about mainly because the DNS (Domain Name System) servers tested were enabled to provide unrestricted recursive name services, which relay information about the name sever to "arbitrary queriers on the Internet."

According to appliance vendor Infoblox Inc., which sponsored the survey by The Measurement Factory, this oversight alone can open up the servers to cache poisoning and DoS (denial of service) attacks, as well as pharming attacks, which redirect users to fake Web sites.

"Simply offering recursion does not alone make it possible to poison your cache, but youre at significantly higher risk," said Cricket Liu, vice president of architecture at Infoblox. "Frankly, I wasnt expecting these numbers to be so high. I guess my view was skewed."

The Boulder, Colo.-based Measurement Factory, in querying some 17 percent of the roughly 7.5 million globally known authoritative DNS servers on the Internet, also found that in more than 40 percent of DNS servers, the software used to complete domain name resolution is out of date and likely insecure.

Forty percent of servers also allow zone transfers, which copy sections of DNS data from server to server, to unknown requestors. Once that information is given, the server can be vulnerable to DoS attacks.

"The number of servers allowing zone transfers was bad, but not as dramatically awful as the recursion numbers," said Liu.

/zimages/4/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

DNS servers translate domain names like "eWEEK.com" into IP addresses, in order to direct users to appropriate Web locations.

Infoblox calls DNS servers "essential network infrastructure," and warns that failure of an enterprise DNS server would halt all Internet activities of that organization.

"Without those name servers available, people cant send e-mail, cant visit your Web site, perform business-to-business or consumer transactions, or offer customer support," said Liu.

In order to ensure security, Infoblox recommends DNS servers be configured to respond only to a handful of known queriers.

Liu, however, said most DNS server vendors enable both recursion and zone out-of-the-box, which may make them easier to set up, but can compromise security.

Infoblox ships its appliances with both functions disabled.

Full survey results and recommendations for DNS best practices are available through the Measurement Factory and Sunnyvale, Calif.-based Infoblox, respectively.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.