Configuration errors are exposing millions of DNS servers to Denial of Service (DoS) attacks and other security threats, a survey by Infoblox and The Measurement Factory has found. Despite how easily administrators could correct these configuration errors, more than 50 percent of the Internet’s DNS servers remain vulnerable to a variety of attacks, according to the random survey of 5 percent—or approximately 88.4 million—of IPv4 address servers.
Infoblox, a supplier of core network service appliances, and The Measurement Factory, a provider of Internet testing and measurement products and services, has conducted the survey for three years. The survey randomly selects 5 percent of the advertised address space from the global routing table of the University of Oregon Route Views project. The survey sends standard queries to the servers to probe software and configuration metrics. To avoid the appearance of Black Hat network probing, Infoblox and The Measurement Factory publish the source IP addresses on their Web sites.
The two queries Infoblox and The Measurement Factory used to determine configuration errors were for recursive queries and zone transfers.
A recursive query requires a name server to relay requests to other name servers. If a server allows recursive queries, it ties up the server’s computing resources. A name server also has a limit to the number of recursive queries it can handle, so once the number of queries reaches that limit, the server will reject any traffic flowing its way. Someone can literally stop a name server from operating by flooding the server with recursive queries until it reaches its limit and starts rejecting valid requests. Allowing recursive queries exposes servers to pharming attacks, cache poisoning, and DoS attacks, and allows those servers to be used in DNS amplification attacks.
The survey found that over 52 percent of public DNS servers allowed recursive queries—findings similar to those of the 2006 study. “Ideally, in a perfect world, no name servers out there on the Internet would do that for us, said Cricket Liu, Infoblox’s vice president of architecture, and author of DNS and BIND, DNS & BIND Cookbook, and DNS on Windows Server 2003 (O’Reilly & Associates). “Because we are just coming in from some random-source IP address, and those name servers have no relationship to us, they should refuse to offer recursive name service to us,” Liu said.
If servers allow zone transfers to arbitrary queries, those servers’ DNS data can be duplicated to another DNS server, which can subject the servers to DoS attacks. The number of DNS servers that allowed zone transfers grew from 29 percent in 2006 to 31 percent in 2007.
Not all the news from the survey results was bad news. The survey found that the Internet infrastructure continues to grow at a healthy rate.
The number of name servers grew from 9 million in 2006 to approximately 11.7 million in 2007—a 30 percent increase, and a 56 percent increase from the 7.5 million name servers found in 2005. Liu said the increased number of DNS servers is an indication of how important DNS has become. “You probably wouldn’t find as many of almost any other kind of server out there,” Liu said, “even Web servers, for that matter.”
BIND 9 is the most prevalent DNS software by far, running on 65 percent of the public name servers, up from 61 percent in 2006 and 58 percent in 2005. The second most popular software is actually the previous version of BIND, BIND 8, running on 5.6 percent of DNS servers, down from 14 percent in 2006, and 20 percent in 2005. BIND 8 was declared End of Life (EOL) on August 27, 2007.
According to the survey, the use of Microsoft DNS Server decreased by almost half in 2007. Only 2.7 percent of public name servers ran Microsoft, compared with 5 percent in 2006 and 10 percent in 2005. Liu said this finding is completely counter to what he sees internally at 80 percent of large organizations and companies in the United States. “I think that most people are very leery of running \[Microsoft DNS servers\] externally where they are directly exposed to the Internet because of the difficulty of running Windows servers securely when they are directly accessible \[through the Internet\].”
To view the entire results of the DNS server survey, click here.