Are your servers vulnerable to DNS attacks?

More than half of Internet name servers today allow requests that leave networks vulnerable to cache poisoning and distributed denial of service attacks -- a fact that has not improved over the past year.

The finding is part of the third annual survey of the Internet’s domain name servers released this week by The Measurement Factory, which conducted the survey for DNS management appliance maker Infoblox. The survey is based on a sample that included 5% of the IPv4 address space -- nearly 80 million devices -- and works to reveal configuration errors that compromise network security and availability.

DNS servers are an oft-neglected but essential part of the infrastructure that map domain names, such as www.networkworld.com into an IP address like 65.214.57.165. If DNS doesn’t work, then it appears the network is down. DNS servers perform domain name resolution to fulfill Internet requests, and in turn, when DNS fails so does e-mail, Web access and more.

Filed under bad news, more than 50% of Internet name servers "allow recursive queries," which is unchanged from 2006, and such queries require a name server to relay requests to other name servers. That action leaves many name servers vulnerable to pharming attacks, according to Infoblox, which can also enable those servers to be used in DNS amplification attacks.

"Even with the growing adoption of more secure DNS systems, compromises to these systems are still occurring and organizations need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages," said Cricket Liu, vice president of architecture at Infoblox, in a statement.

More bad news comes in the form of DNS servers allowing "zone transfers to arbitrary requestors" grew 2% in 2007 to 31%. Allowing such transfers can enable duplication of an entire segment of DNS data from one server to another and make the system susceptible to a DDoS attack. The study also found that 75% of those surveyed machines remain misconfigured, which can cause service outages. 

Yet the survey revealed some positive findings as well. According to the results, BIND 9 usage grew from 4% in 2007 to 65%, which indicates more enterprise companies are putting the most recent and secure version of the open-source domain name server software in place. At the same time, BIND 8 usage decreased by 5.6%. And the findings indicate that usage of Microsoft DNS Server has decreased consistently over time. In 2005, 10% of DNS servers surveyed used Microsoft; in 2006 5% used it; and in 2007, about 2.7% had Microsoft DNS Server in place.

"For the overall security of the Internet, it is good to see movement aware from Microsoft DNS Servers for external DNS as well as a growing trend to use the most recent versions of BIND, which are more secure," Liu said.