By John Leyden
24th October 2005
Four in five authoritative domain name system (DNS) servers across the
world are vulnerable to types of hacking attacks that might be used by
hackers to misdirect surfers to potentially fraudulent domains. A
survey  by net performance firm the Measurement Factory
commissioned by net infrastructure outfit Infoblox of 1.3m internet
name servers found that 84 per cent might be vulnerable to pharming
attacks. Others exhibit separate security and deployment-related
Pharming attacks use DNS poisoning or domain hijacks to redirect users
to dodgy urls. For example widespread attacks launched in April
attempt to fool consumers into visiting potentially malicious web
sites by changing the records used to convert domain names to IP
addresses. These particular pharming attacks exploited name servers
that allow recursive queries from any IP address. Recurssive queries
are a form of name resolution that may require a name server to relay
requests to other name servers.
Providing recursive queries to arbitrary IP addresses on the internet
exposes a name server to both cache poisoning and denial of service
attacks. Such requests should be restricted to trusted sources. But
the study found that up to 84 per cent of the name servers
investigated relayed requests from world + dog, violating best
practices and opening the door to possible hacking attack.
The survey also revealed that more than 40 per cent of the name
servers investigated provide zone transfers to arbitrary queries. Like
recursive name services, zone transfers, which copy an entire segment
of an organization's DNS data from one DNS server to another, should
only be allowed for a designated list of trusted, authorised hosts.
Network configuration errors in setting up redundant servers for extra
availability were also uncovering during the study, which involved
using a series of carefully designed queries in order to gauge the
relative vulnerability of each name server to attacks or failures.
Cricket Liu, vice president of architecture at Infoblox and author of
O'Reilly & Associates' DNS and BIND, DNS & BIND Cookbook, and DNS On
Windows Server 2003, said "Given what enterprises are risking - the
availability of all of their network services - these results are
frightening, especially since there are easy ways to address these
Infoblox has come up with a list of 'top tips' designed to help
enterprises to guard against DNS vulnerabilities:
1. If possible, split external name servers into authoritative name
servers and forwarders.
2. On external authoritative name servers, disable recursion. On
forwarders, allow only queries from your internal address space.
3. If you can't split your authoritative name servers and forwarders,
restrict recursion as much as possible. Only allow recursive
queries if they come from your internal address space.
4. Use hardened, secure appliances instead of systems based on
general-purpose servers and operating software applications (such
as InfoBlox's appliance for DNS, we guess the firm is saying here,
well it had to get a product pitch in there somewhere).
5. Make sure you run the latest version of your domain name server
6. Filter traffic to and from your external name servers. Using either
firewall or router-based filters, ensure that only authorized
traffic is allowed between your name servers and the Internet.
InfoSec News v2.0 - Coming Soon!