According to the 2008 DNS Survey, commissioned by network services appliances vendor Infoblox, while some improvements are noticeable, compared to 2007, millions of publicly available DNS servers still allow open recursion, which makes them vulnerable to DoS and cache poisoning attacks.
The tests were carried out by the Test Measurement Factory, using two datasets. The first dataset contained a number of over 90,000 randomly selected routed IP addresses, which amounted to about 5% of the total routed IPv4 space. The second dataset used one million domains names, randomly selected from a list of 182 million .com and .net domains submitted by Verisign. A single authoritative DNS server was selected for each of the domains.
Probing all the IPs in the two datasets revealed a total number of around 11.9 million name servers, which were reachable from the Internet. Further tests showed that most B of these servers used the BIND software, # use Nominum CNS/ANS, while the software used on @ of the name servers could not be identified. The remaining 8 percent of the servers that responded used a wide array of DNS software, many of them being integrated into home routers. These servers' running on home routers and their being accessible on the Internet should not be set as a default behavior. “It is surprising to see such a large number of home routers being reachable from the Internet on Port 53," is noted in the report.
An important aspect is the drastic decrease in the number of servers running the Microsoft DNS platform (only 0.17% remaining), which the researchers think is appropriate for internal network use only. “Microsoft DNS Servers lack many important security features, such as IP address-based access controls on queries and dynamic updates,” they point out.
The good news ends here, though, as the tests reveal 4,300,000 servers that are open to recursion. While this number is lower than in 2007, it is still significantly higher than the researchers had expected. Recursion exposes both the servers and the third-parties to denial of service attacks. One example is sending a large amount of requests with a spoofed IP to such a server, which causes the server to send the replies to the spoofed address, and the hardware at its end to crash, because of the amount of data required to process.
Open recursion is also a factor in DNS cache poisoning, a flaw discovered earlier this year by security researcher Dan Kaminsky, and partially patched by the industry. After scanning the open recursors for the implementation of source port randomization, an alarming 24% percentage of them have been rated as “poor”. If one adds this to the fact that the patch only partially mitigates the issue, they can outline the still high risk of such serious attacks occuring. “Given the heightened awareness of DNS server vulnerabilities due to the recent Kaminsky discovery, it is surprising to see how many organizations are still leaving their DNS systems as potential victims of attack,” noted Cricket Liu, vice president of Architecture at Infoblox.
Other important results are related to specific DNS configurations, aimed at prevention and protection against various attacks, such as the implementation of Sender Policy Framework (SPF) on subzones, the use of Zone transfer (AXFR), the IPv6 or DNSSEC adoption, and others. According to these, the use of SPF, a spam protection technique, has increased, and is currently implemented for about one in six .com and .net subdomains. In contrast, IPv6 and DNSSEC adoption has not seen much improvement lately, registering gains of 0.44% for IPv6 and 0.002% (only 45 records) for DNSSEC.
“Even if an enterprise has gone to the trouble of patching against the Kaminsky vulnerability, there are many other aspects of configuration, like recursion and open zone transfers, that should also be secured. If not, organizations are essentially locking their door to their house, but leaving the windows wide open. Organizations clearly need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages,” warned Mr. Liu.