he Measurement Factory's 4th annual study of 80 million addresses in the IPv4 space proves several in the Internet community didn't heed the industry's warning to upgrade their DNS servers with patches for the Kaminsky flaw and other known vulnerabilities.
Despite industry efforts to lock down DNS servers, one in four remain vulnerable to cache poisoning due to the well-documented Kaminsky flaw identified earlier this year and another 40% could be considered a danger to themselves and others, recent research shows. (See how DNS works here.)
According to the fourth annual DNS report issued by The Measurement Factory, 25% of DNS servers in the sample group have not been upgraded to perform source port randomization, which is considered the patch for the vulnerability identified earlier this year by Dan Kaminsky, director of penetration testing at IOActive. The industry group bases its study on a sample that includes 5% of the IPv4 address space, or 80 million addresses.
"A surprising number of have not been upgraded and are very vulnerable to cache poisoning," according to a press release from IP address management vendor Infoblox and DNS service and tools provider DNSstuff.
A separate survey of 466 enterprise online customers conducted by DNSstuff in September revealed that 9.6% hadn't patched their DNS servers yet and 21.9% didn't know if they were patched. The findings show that despite the DNS community's and several vendors' efforts, a significant number of server administrators have yet to take action. As for the reasons behind the lack of patches, more than 45% cited a lack of internal resources, 30% said they were unaware of the vulnerability and 24% reported they didn't have enough knowledge of DNS to take the appropriate steps. DNSstuff’s customer research also found that the most common DNS issues include e-mail downtime for 69%, distributed denial-of-service (DDoS) attacks and cache poisoning attacks for nearly half of respondents and spoofing for 18.5%.
Another potentially worrisome finding is that more than 40% of Internet name servers allow recursive queries, leaving "millions of open recursors on the Internet, a danger both to themselves and others -- they are vulnerable to cache poisoning and DDoS attacks," The Measurement Group reports. Another 30% of those addresses sampled allow zone transfers to arbitrary requesters, which make servers targets for DoS attacks.
"Even if an enterprise has gone to the trouble of patching against the Kaminsky vulnerability, there are many other aspects of configuration, like recursion and open zone transfers, that should also be secured," said Cricket Liu, vice president of architecture at Infoblox, in a press release. "If not, organizations are essentially locking their door to the house, but leaving the windows wide open."