New research offers a peak into the state of security of domain name server security – and it’s not all pleasing to the eye.
In an annual study of domain name servers (DNS) connected to the Internet by The Measurement Factory, it was uncovered that roughly one in four DNS servers does not perform source port randomization, despite the publicity surrounding the DNS vulnerability reported by security researcher Dan Kaminsky earlier this year.
The study, which was sponsored by Infoblox, also found that more than 40 percent of Internet name servers allow recursive queries. With the study estimating 11.9 million name servers are reachable from the Internet, the percentages means millions of name servers may be open to cache poisoning and distributed denial of service attacks.
“The danger of offering recursive queries is that a malicious user can effectively trick a DNS server into looking up the wrong data and then that same server will cache that bad data and then serve that bad data to other users,” explained Paul Parisi, CTO of DNSstuff. “So, allowing public users to execute recursive queries against your name server is bad.”
However, the same issues still exist for private users of that same server, he added.
“A -bad’ user on the private -authorized’ list executing recursive queries, whether they are deliberately malicious or subject of a Trojan, can have the same negative outcome – having the server limited to whom it may serve recursive queries simply diminishes your exposure to a smaller set of users,” Parisi said.
These issues are exacerbated, he continued, for domain owners when their SOA (start of authority) name servers are also open to recursive queries. In that scenario, a domain’s SOA server could be corrupted by sending malicious recursive queries to that server – in effect taking away the only available source of authority.
New research by DNSstuff echoed the findings of The Measurement Factory study. According to DNSstuff, roughly 31 percent of the 466 participants either had not patched Kaminsky’s vulnerability or were unsure if it was fixed. More than 45 percent said they lacked the in-house resources to complete the task.
“That’s pretty amazing, especially given the level of coverage that there was,” Parisi said. “When asked why their DNS servers were not patched, the biggest reason cited…was no internal resources. So they understood it, they knew what it was, but they didn’t have the resources to do it.”
Another 30 percent were unaware of the vulnerability, while 24 percent felt they lacked the DNS expertise to address the issue, according to the DNSstuff study.
There is good news, however. According to The Measurement Factory study, adoption of the sender policy framework (SPF) is on the rise. Between 2006 and 2007, adoption grew from about 5 percent of the zones to about 12.6 percent. In 2008, it increased to 16.7 percent.
SPF is an extension of SMTP that aids in e-mail authentication.
“This [increase] is all almost a grassroots thing,” said Cricket Liu, vice president of architecture at Infoblox. “There’s no systematic setting up of SPF. Individual administrators of zones have to go to the trouble of inserting text records or specially formatted SPF records to get this stuff going. So it’s pretty encouraging to see that now one out of six subzones of common net use SPF.”