SOURCE: Infoblox

November 19, 2007 09:00 ET

DNS Survey Reveals Many Systems Still Vulnerable to Attacks Despite Some Marked Improvements

SANTA CLARA, CA--(Marketwire - November 19, 2007) - Infoblox Inc., a developer of appliances that deliver "utility-grade" core network services, and The Measurement Factory, experts in performance testing and protocol compliance, today announced results from the third-annual survey of domain name servers on the public Internet.

DNS servers are essential network infrastructure that map domain names (e.g., yahoo.com) to IP addresses (e.g., 66.94.234.13), directing Internet inquiries to the appropriate location. Domain name resolution conducted by these servers is required to perform any Internet-related request. Should an enterprise or organization's DNS systems fail, all Internet functions, including email, web access, e-commerce, and extranets become unavailable.

Overall, results indicate that the number of DNS systems is increasing, which is a good indicator of Internet growth in terms of infrastructure, users, traffic and applications. Also on a positive note, results indicate that the DNS infrastructure is modernizing and coalescing around the most recent versions of BIND. Further, there is a real indication of interest in fighting spam. However, many DNS servers still allow recursion and zone transfers, indicating that the global DNS system is as vulnerable as ever.

"For the overall security of the Internet, it is good to see movement away from Microsoft DNS Servers for external DNS as well as a growing trend to use the most recent versions of BIND, which are more secure," Cricket Liu, vice president of architecture at Infoblox and author of O'Reilly & Associates' "DNS and BIND," "DNS & BIND Cookbook," and "DNS On Windows Server 2003," commented. "However, even with growing adoption of more secure name servers, compromises of these systems are still occurring, and organizations need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages. Instead of waiting until they are attacked, all organizations should assess their DNS infrastructure and immediately take the necessary steps to make them more reliable and secure."

Following are the key 2007 DNS survey results, which are based on a sample that included 5 percent of the IPv4 address space, nearly 80 million addresses.

The Good News

Overall growth and modernization of DNS systems improves security and availability. Further, there is a real indication of interest in fighting spam.

--  The Internet-facing DNS server count increased to 11.5 million (up from
    ~9 million in 2006 and 7.5 million in 2005) -- The domain name system is
    growing, a good indicator of the overall growth of the Internet, users,
    traffic and applications.
    
--  BIND 9 usage grew to 65% in 2007 (up from 61% in 2006 and 58% in
    2005) -- The growing use of the most recent and secure version of open-
    source domain name server software indicates that organizations are paying
    attention to the version of BIND they are running and that they are
    increasingly aware of related security issues.
    
--  BIND 8 usage decreased to 5.6% in 2007 (down from 14% in 2006 and 20% in
    2005) -- The decreased usage of BIND 8 -- an older version recently "end-of-
    lifed" by ISC -- by almost two-thirds year-over-year, indicates that many
    organizations are making the effort to deploy the most reliable and secure
    DNS implementations and are making the global DNS infrastructure more
    secure.
    
--  Usage of the Microsoft DNS Server cut in half (a decrease to 2.7% from 5%
    in 2006 and 10% in 2005) -- The significant reduction in usage of the
    Microsoft DNS Server by nearly one-half reflects concerns over risks
    associated with deploying Microsoft Windows servers that are exposed to the
    public Internet.
    
--  Support for SPF increased to 12.6% in 2007 (up from 5% of the zones
    sampled in 2006) -- This increase in usage of SPF (the Sender Policy
    Framework) increases the effectiveness of the technology, and indicates
    that organizations are taking email fraud seriously.
    

The Bad News

Continued deployment and configuration mistakes are leaving the global DNS system as vulnerable as ever.

--  Still more than 50% of Internet name servers allow recursive queries
    (consistent with 2006) -- This form of name resolution often requires a
    name server to relay requests to other name servers, which can leave name
    servers vulnerable to pharming attacks and allow those servers to be used
    in DNS amplification attacks that can take down important Internet
    infrastructure.
    
--  DNS servers surveyed allowing zone transfers to arbitrary requestors grew
    to 31% in 2007 (up from 29% in 2006) -- Allowing zone transfers to
    arbitrary queriers enables duplication of an entire segment of an
    organization's DNS data from one DNS server to another and can leave them
    as easy targets for denial-of-service attacks.
    
--  Still ~75% of zones surveyed have low expire values and almost 78% still
    use negative-caching TTL settings outside the suggested range of one to
    three hours -- These figures, consistent with 2006, indicate that many DNS
    servers are not configured correctly, which can significantly increases the
    risk of service outages to an organization.
    
--  Only .002% of zones tested support DNSSEC -- Limited adoption of DNSSEC,
    the IETF standard that adds cryptographic authentication and integrity
    checking to DNS, indicates that administrators are not convinced of its
    importance, are perhaps intimidated by its complexity, and that the
    standard seems unlikely to succeed on its own merits as a means to improve
    DNS security.
    

To view the complete 2007 DNS survey results and to access several best practices guides and tools, like the Infoblox DNS Advisor, which helps assess the vulnerability of an organization's DNS infrastructure, visit: http://www.infoblox.com/library/dns_resources.cfm.

About Infoblox

Infoblox appliances deliver utility-grade core network services, including domain name resolution (DNS), IP address assignment and management (IPAM/DHCP), authentication (RADIUS) and related services. Infoblox solutions, which provide the essential "glue" between networks and applications, are used by over 1,900 organizations worldwide, including over 100 of the Fortune 500. The company is headquartered in Santa Clara, Calif., and operates in more than 30 countries. For more information, call +1.408.625.4200, email info@infoblox.com, or visit www.infoblox.com.

About The Measurement Factory

The Measurement Factory provides a variety products and services related to Internet testing and measurement, with a current focus on DNS, HTTP, and ICAP. Most of the Factory's products are available under open-source licenses. For more information, call +1-303-938-6863, email info@measurement-factory.com, or visit www.measurement-factory.com.

Contact Information

  • Media Contacts:
    Jennifer Jasper
    Infoblox
    408.625.4309
    Email Contact