IT managers should make protecting their systems from a DNS attack a priority, despite the budget constraints that they're operating under.
Despite the threat posed by the vulnerability discovered by Dan Kaminsky last year and despite other DNS attacks, such as cache poisoning and distributed denial-of-service (DDoS), a quarter of all networks had not been patched by mid-November, aocording to The Measurement Group.
"These name servers are trivially vulnerable to the Kaminsky attack. With an effective exploit script, a hacker can insert arbitrary data into the cache of one of these names servers in about 10 seconds," said Cricket Liu, vice president of architecture at Infoblox.
A separate survey of 466 enterprise online customers conducted by DNSstuff in September revealed that 9.6 percent hadn't patched their DNS servers and 21.9 percent didn't know if they were patched. The findings show that despite the DNS community's and several vendors' efforts, a significant number of server administrators have yet to take action. As for the reasons behind the lack of patches, more than 45 percent cited a lack of internal resources, 30 percent said they were unaware of the vulnerability and 24 percent reported they didn't have enough knowledge of DNS to take the appropriate steps.
Infoblox said there was a misconception that DNS was a trivial part of the network. It performs a critical function by mapping domain names to IP addresses and directing Internet inquiries to the appropriate location. "Should an enterprise's DNS systems fail ... all Internet functions, including email, web access, e-commerce and extranets become unavailable," according to Infoblox.
Secondly, the belief that any version of BIND will protect name serving machines on the Internet is false, according to Infoblox. BIND version 9 is a major rewrite of the Berkeley Internet Name Domain and includes DNS security and protocol enhancements, as well as support for IPv6.
Another misconception regarding BIND is that organisations using version 9 are safe from attacks due to the Kaminsky vulnerability. Infoblox's Liu says that was untrue. "Even running the most recent version of BIND, many organisations have not taken the necessary precautions to limit access to recursion or secure zone transfers," he says.
Lastly, the belief that upgrading DNS needs to be put off until IT can gain budget approval is false. It is possible to test the system to learn of any vulnerability and upgrade the DNS server with tools available for free download. For instance, Infoblox QuickSecure Solution can be downloaded from the vendor's website.
Recursive name servers can be tested for the Kaminsky vulnerability at doxpara.com, www.dnsadvisor.com or using DNS-OARC's port testing tool. If the servers are found to be vulnerable, Infoblox suggests moving the name server to one that uses query port randomization or move to another name server that does support it.
"Even if an enterprise has gone to the trouble of patching against the Kaminsky vulnerability, there are many other aspects of configuration, like recursion and open zone transfers, that should also be secured," Liu says. "Organizations clearly need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages."