Worldwide Survey of DNS Servers Reveals Many Systems Vulnerable to Attacks

One in Four Servers Still Unpatched for the Kaminsky Vulnerability and Many More Open to Recursion

 | Source: Infoblox Infoblox

SANTA CLARA, CA--(Marketwire - November 10, 2008) - Infoblox Inc., a developer of appliances that deliver DNS and DHCP services, among others, and The Measurement Factory, experts in performance testing and protocol compliance, today announced results from the fourth-annual survey of domain name servers on the public Internet.

Top-line results indicate that despite the fact that most organizations are running recent versions of BIND and no longer using Microsoft DNS Servers for their external DNS servers, many organizations have not taken the necessary precautions to limit access to recursion or secure zone transfers. In addition, many still have not upgraded to the latest DNS software to protect against the recently discovered Kaminsky vulnerability and associated risk of DNS cache poisoning.

"Given the heightened awareness of DNS server vulnerabilities due to the recent Kaminsky discovery, it is surprising to see how many organizations are still leaving their DNS systems as potential victims of attack," commented Cricket Liu, Vice President of Architecture at Infoblox and author of O'Reilly & Associates' DNS and BIND, DNS & BIND Cookbook, and DNS on Windows Server 2003. "Even if an enterprise has gone to the trouble of patching against the Kaminsky vulnerability, there are many other aspects of configuration, like recursion and open zone transfers, that should also be secured. If not, organizations are essentially locking their door to their house, but leaving the windows wide open. Organizations clearly need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages."

DNS servers are essential network infrastructure that map domain names (e.g., yahoo.com) to IP addresses (e.g., 66.94.234.13), directing Internet inquiries to the appropriate location. Domain name resolution conducted by these servers is required to perform any Internet-related request, whether for Web browsing, email, ecommerce, or cloud computing. Should an enterprise or organization's DNS systems become compromised by attacks, the results can be devastating, ranging from loss of a company's Web presence, inability of employees to access any outside Web services, and perhaps most damaging, redirection of Web and email traffic to bogus sites, resulting in data loss, identity theft, ecommerce fraud and more.

Following are the key 2008 DNS survey results, which are based on a sample that included 5 percent of the IPv4 address space, nearly 80 million addresses.

GOOD NEWS 

--  90% of name servers that run BIND run one of the most recent versions
    of BIND 9; a small but significant number of administrators continue to run
    older versions of BIND on Internet-facing name servers, putting their
    organizations at risk.
    
--  Only .17% still rely on Microsoft DNS Server, down from 2.7% (2007);
    usage of unsecure Microsoft DNS Servers connected to the Internet is
    vanishing.
    
--  Support for Sender Protection Framework (SPF) within DNS for spam
    reduction increased from 12.6% of zones sampled to 16.7%; despite the
    complexity of SPF configuration, validating email senders is increasing in
    importance and organizations are taking email fraud seriously.

BAD NEWS 

--  One in four DNS servers does not perform source port randomization --
    the "patch" for "the Kaminsky vulnerability"; the effort by vendors and the
    Internet's DNS community to encourage administrators to upgrade their name
    servers after the announcement of the Kaminsky vulnerability paid off;
    however, a surprising number have not been upgraded and are very vulnerable
    to cache poisoning.
    
--  More than 40% of Internet name servers allow recursive queries; there
    are still millions of open recursors on the Internet, a danger both to
    themselves and others -- they are vulnerable to cache poisoning and
    Distributed Denial of Service attacks.
    
--  30% of DNS servers surveyed allow zone transfers to arbitrary
    requestors; this leaves servers as easy targets for denial-of-service
    attacks.
    
--  Only .002% of DNS zones tested support DNSSEC; administrators have not
    been convinced of its importance -- perhaps intimidated by its complexity 
    -- but new mandates could mean a significant change in the near future.

MISC. 

--  Usage of IPv6 name servers continues to increase from .27% to .44%;
    while enterprises are investigating IPv6 and concerned about increasingly
    scarce IPv4 address space, adoption of IPv6 is still low -- address
    scarcity isn't yet considered a serious concern and they feel no urgency to
    adopt IPv6.

Call to Action

Based on these statistics, there are some clear calls to action for organizations with external DNS servers. Instead of waiting until they are attacked, all organizations should assess their DNS infrastructure and immediately take the necessary steps to make them more reliable and secure. Infoblox provides a number of free, automated tools that enable organizations to test their DNS infrastructure and identify weaknesses and vulnerabilities. These tools and many other resources, as well as the complete DNS Survey results are available on the Infoblox.com Web site at: http://www.infoblox.com/library/dns_resources.cfm.

About Infoblox

Infoblox appliances deliver utility-grade core network services, including domain name resolution (DNS), IP address assignment and management (IPAM/DHCP), authentication (RADIUS) and related services. Infoblox solutions, which provide the essential "glue" between networks and applications, are used by over 2,300 organizations worldwide, including over 100 of the Fortune 500. The company is headquartered in Santa Clara, Calif., and operates in more than 30 countries. For more information, call +1.408.625.4200, email info@infoblox.com, or visit www.infoblox.com.

About The Measurement Factory

The Measurement Factory provides a variety of products and services related to Internet testing and measurement, with a current focus on DNS, HTTP, and ICAP. Most of the Factory's products are available under open-source licenses. For more information, call +1-303-938-6863, email info@measurement-factory.com, or visit www.measurement-factory.com.

Contact Information: PRESS RELEASE Media Contacts: Jennifer Jasper Infoblox 408.625.4309