AOH :: ISN-3117.HTM

Is your DNS server configured wrong?

Is your DNS server configured wrong?
Is your DNS server configured wrong? 

By Carolyn Duffy Marsan
Network World

More than half of the Internets name servers are configured incorrectly, 
leaving networks vulnerable to pharming attacks and enabling servers to 
be used in attacks that can wipe out DNS infrastructure.

This is the key finding of a survey of the Internets domain name servers 
released Monday. The Measurement Factory conducted the survey for 
Infoblox, which sells DNS appliances.

Overall, the 2006 DNS Report Card assigned a grade of D+ for DNS 
security. This is the second annual survey conducted by The Measurement 
Factory about the state of the global DNS.

We saw an increase in the pace and severity of attacks and outages 
resulting from bad configurations in the DNS infrastructure,? says Rick 
Kagan, vice president of marketing for Infoblox.

The surveys main finding was that more than half of the Internets name 
servers allow recursive name services. This is a form of name resolution 
that often requires a name server to relay requests to other name 

Infoblox says that allowing recursive name services leaves networks 
vulnerable to cache poisoning attacks, in which users are redirected to 
a different Web site often for the purpose of capturing personal 

"There is no need for servers to support recursive name services,? Kagan 
says. "The problem is that BIND 9 enables recursive name services by 
defaultThis is a bad vulnerability. It has been exploited; there are 
public examples where that has happened. But its easy to fix and people 
should address it.?

Another DNS configuration problem that the survey found is that 29% of 
DNS servers allow zone transfers to arbitrary requesters. Zone transfers 
copy DNS data from one server to another, and leave servers open to 
denial-of-service attacks.

The surveys other findings were:
* The number of DNS servers connected to the Internet rose 20% in the 
  last year to 9 million. Most of that growth was in Europe and Asia, 
  with many new DNS servers embedded in cable modems and phone gateways.
* The number of DNS servers running the latest open source software BIND 
  9 from Internet Software Consortium rather than the older BIND 8 rose 
  from 58% in 2005 to 61% in 2006.
* Only two out of every 1,000 DNS servers support IPv6, showing the slow 
  pace at which this upgrade to the Internets main communications 
  protocol is being deployed.
* Virtually no one is using DNSSEC, the proposed standard for 
  authenticating DNS data. DNSSEC is supported on one out of every 
  100,000 DNS servers.

All contents copyright 1995-2006 Network World, Inc.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2015 CodeGods