SOURCE: Infoblox

October 24, 2005 09:00 ET

New Survey Reveals More Than 75 Percent of Authoritative Name Servers Have an Increased Vulnerability to DNS Pharming Attacks

SUNNYVALE, CA -- (MARKET WIRE) -- October 24, 2005 -- The Measurement Factory, experts in performance testing and protocol compliance, and Infoblox Inc., a developer of essential infrastructure for identity-driven networks, today announced results of a survey of more than 1.3 million Internet-connected, authoritative domain name system (DNS) servers around the globe. The results of the survey, available at The Measurement Factory website (http://dns.measurement-factory.com/surveys/sum1.html), indicate that as many as 84 percent of Internet name servers could be vulnerable to pharming attacks, and that many exhibit other security and deployment-related vulnerabilities.

DNS servers are essential network infrastructure that map names (e.g., yahoo.com) to IP addresses (e.g., 66.94.234.13), directing Internet inquiries to the appropriate location. Simply put, domain name resolution conducted by these servers is required to perform any Internet-related request. Should an enterprise or organization's DNS systems fail, all Internet functions, like email and Web access, simply will not be available.

The survey -- conducted by The Measurement Factory and sponsored by Infoblox -- consisted of a number of queries carefully designed to determine the relative vulnerability of each name server to attacks or failures due to security or configuration, which can jeopardize network availability.

Survey Results Expose Widespread Vulnerabilities

The most surprising result of the survey showed that between 75 and 84 percent of the name servers investigated provide recursive name services to arbitrary queriers on the Internet. Industry best practices dictate that recursive name services -- a form of name resolution that may require a name server to relay requests to other name servers -- should only be enabled on a DNS server for a restricted list of known, trusted requestors. Providing recursion to arbitrary IP addresses on the Internet exposes a name server to both cache poisoning and denial of service attacks. For example, the recent spate of "pharming" attacks exploit name servers that allow recursive queries from any IP address.

The survey also revealed that over 40 percent of the name servers investigated provide zone transfers to arbitrary queriers. Like recursive name services, zone transfers, which copy an entire segment of an organization's DNS data from one DNS server to another, should only be allowed for a designated list of trusted, authorized hosts, such as secondary name servers. Offering zone transfers to any requestor exposes a name server to denial of service attacks.

The survey also showed that almost one-third of the name servers that have been set up to provide redundancy for authoritative data are configured on the same IP network segment. As a result, a successful denial-of-service attack on a single network segment or a failure of a limited portion of the customer's network can result in a loss of authoritative name resolution service, eliminating the intended benefit of installing multiple, redundant DNS servers.

Cricket Liu, vice president of architecture at Infoblox and author of O'Reilly & Associates' "DNS and BIND," "DNS & BIND Cookbook," and "DNS On Windows Server 2003," commented, "Given what enterprises are risking -- the availability of all of their network services -- these results are frightening, especially since there are easy ways to address these issues."

Remedies to Address DNS Vulnerabilities

According to Liu, there are several simple steps and deployment best practices that enterprises can take to protect against these vulnerabilities and others:

   1.  If possible, split external name servers into authoritative name
       servers and forwarders.

   2.  On external authoritative name servers, disable recursion. On
       forwarders, allow only queries from your internal address space.

   3.  If you can't split your authoritative name servers and forwarders,
       restrict recursion as much as possible. Only allow recursive queries
       if they come from your internal address space.

   4.  Use hardened, secure appliances instead of systems based on general-
       purpose servers and operating software applications.

   5.  Make sure you run the latest version of your domain name server
software.

   6.  Filter traffic to and from your external name servers. Using either
       firewall- or router-based filters, ensure that only authorized
       traffic is allowed between your name servers and the Internet.
To view more helpful tools for DNS Best Practices, visit: http://www.infoblox.com/library/dns_resources.cfm.

To view the complete survey results, visit: http://dns.measurement-factory.com/surveys/sum1.html

About Infoblox

Infoblox develops essential infrastructure used for establishing identity-driven networks (IDNs). Infoblox network identity appliances deliver nonstop DNS, DHCP, IPAM, RADIUS and related services with unparalleled reliability, manageability, scalability and security. Hundreds of organizations worldwide, including many of the Fortune 500, use Infoblox solutions for the critical naming, authentication, authorization and IP management services that make their networks secure, robust, manageable and compliant. The company is headquartered in Sunnyvale, CA and operates in more than 30 countries. For more information, call +1.408.716.4300, email info@infoblox.com, or visit www.infoblox.com.

About The Measurement Factory

The Measurement Factory provides a variety products and services related to Internet testing and measurement, with a current focus on DNS, HTTP, and ICAP. Most of the Factory's products are available under open-source licenses. For more information, call +1-303-938-6863, email info@measurement-factory.com, or visit www.measurement-factory.com.

Contact Information