More than half the name servers on the Internet are configured wrongly, leaving networks open to attacks, a security company has warned.
Domain name servers, which everyone running an enterprise network must have, are often configured in ways which can cause harm to the company, or to other Internet users, according to the DNS Report Card, a survey of DNS servers carried out by The Measurement Factory, on behalf of Infoblox, a company making DNS appliances. The survey gave an overall D+ for DNS security.
The most common error is for DNS servers to forward requests from systems outside their own network, according to the report. Apart from a small number of authoritative name servers on the Internet, most DNS servers are "recursive" meaning they reside on a LAN or in an ISP's network and refer requests from their own users upwards to the authoritative servers. When these servers are open to other users outside their own network, it allows "pharming" attacks, where attackers send multiple spoof DNS requests apparently from one user, to many of these open recursive servers. The result swamps the user whose IP address has been spoofed into the requests.
"It's a big issue, when you have a recursive server that is open to anyone to use," said Jay Daley, IT manager at the .co.uk domain authority Nominet. "A few hundred PCs can send a request of 64 bytes, and the servers will respond with 4kbyte for each request and a huge amount of traffic comes your way."
Infoblox claims that these servers can also be vulnerable to cache poisoning attacks where users are redirected to a different website that may capture their personal information. Users running an authoritative DNS server and a recursive server on the same machine are open to a more serious attack, which can allow attackers to stop email and web traffic, said Daley.
"We saw an increase in the pace and severity of attacks and outages resulting from bad configurations in the DNS infrastructure,'' says Infoblox' market head Rick Kagan. While Infoblox suggests that running a dedicated secure DNS appliance is a good way to prevent these problems, Daley is not so sure: "It's best to run DNS on an ordinary, well-patched server. You can patch it quickly if you need to while it can take some time for patches to be delivered for dedicated appliances - and they charge an extraordinary price premium." While patching your own DNS server might seem like a bind (sorry), Daley says that anyone running a DNS server ought to be able to patch it. Updates to BIND are not anything like as frequent as updates to the databases on anti-spam or anti-virus servers, two areas where he believes appliances may be justified.
The survey found that the number of DNS servers connected to the Internet rose 20 percent in the year to nine million, and that the number running BIND 9, the latest version of the most common DNS software, has risen from 58 percent to 61 percent - this is good news in Daley's view, as BIND 9 is more secure than earlier versions. "There are three versions out there," he said. "BIND 4 should not be used at all, BIND 8 is only for authoritative servers, and BIND 9 is fine for either recursive or authoritative servers.
The survey also found that 20 percent of servers allow zone transfers to arbitrary queriers, which Infoblox says opens then to denial of service attacks. One attempt to solve DNS security issues has obviously fallen flat - only one in 100,000 DNS servers runs the proposed proposed secure version of DNS called DNSSEC.
Infoblox provides a free DNS advisor created by its director of architecture, Cricket Liu, which will warn users of potential DNS problems.