SOURCE: Infoblox

October 09, 2006 09:00 ET

Second Annual DNS Survey Reveals Growth and Improvements, But Many Systems Still Vulnerable to Attacks

Infoblox Introduces Cricket Liu's DNS Advisor: Free Online Tool Enables Organizations to Assess Their DNS Systems and Provides Recommendations for Addressing Weaknesses

SANTA CLARA, CA -- (MARKET WIRE) -- October 9, 2006 -- Infoblox Inc., a developer of essential infrastructure for identity-driven networks (IDNs), and The Measurement Factory, experts in performance testing and protocol compliance, today announced availability of the "2006 DNS Report Card," featuring results of their second-annual survey of domain name servers (DNS) on the public Internet. In related news, Infoblox also announced today availability of Cricket Liu's DNS Advisor, a free online tool that assesses an organization's external DNS systems and provides a report that includes helpful advice for improvement.

DNS servers are essential network infrastructure that map domain names (e.g., yahoo.com) to IP addresses (e.g., 66.94.234.13), directing Internet inquiries to the appropriate location. Domain name resolution conducted by these servers is required to perform any Internet-related request. Should an enterprise or organization's DNS systems fail, all Internet functions, including email, web access, e-commerce, and extranets become unavailable.

The DNS survey provides an estimate of the total number of DNS servers deployed and also examines the configuration of servers that are scanned. It was based on a sample that included 5 percent of the IPv4 address space -- nearly 80 million devices. The results were categorized in 3 areas, covering DNS infrastructure, security, and adoption of new applications. By comparing results from the 2006 survey with those compiled in the 2005 survey, a picture of key trends emerges. Highlights of the results include the following:

DNS Infrastructure Earns a "B" Grade

--  Total number of external DNS servers grew 20 percent, from 7.5 million
    in 2005 to 9 million in 2006.  Most of the growth appeared to come from
    developing economies, and many of the new servers are embedded in access
    devices, such as cable modems and DSL routers.
--  Use of BIND 9 -- the most recent and secure version of open-source
    domain name server software -- grew from 58 percent of the total in 2005 to
    61 percent in 2006, implying that organizations are paying attention to the
    version of BIND they are running and that they are increasingly aware of
    related security issues.
--  Use of BIND 8 -- an older version of DNS software -- decreased by 30
    percent from 20 percent (2005) to 14 percent (2006), indicating that many
    organizations are making the effort to deploy the most reliable and secure
    DNS implementations.
--  Use of the Microsoft DNS Server decreased by 50 percent from 10
    percent to 5 percent of the total in 2006, perhaps reflecting concerns over
    risks associated with deploying Microsoft Windows servers that are exposed
    to the public Internet.
    
DNS Security Barely Passes with a "D+" Grade
--  More than 50 percent of Internet name servers allow recursive name
    services -- a form of name resolution that often requires a name server to
    relay requests to other name servers -- leaving many networks vulnerable to
    pharming attacks and enabling their servers to be used in DNS amplification
    attacks that can take down important DNS infrastructure.
--  Over 29 percent of DNS servers surveyed allow zone transfers to
    arbitrary queriers, enabling duplication of an entire segment of an
    organization's DNS data from one DNS server to another and leaving them
    easy targets for denial of service attacks.
    
Security researcher Dan Kaminsky, who has spent several years investigating security and reliability issues in the Internet's Domain Name System, commented: "People tend to take DNS for granted, but if it goes down, so does your network. As Infoblox's data shows, there are indeed organizations that should take urgent action to bolster their DNS infrastructure."

Cricket Liu, vice president of architecture at Infoblox and author of O'Reilly & Associates' "DNS and BIND," "DNS & BIND Cookbook," and "DNS On Windows Server 2003," commented, "While there have been improvements, organizations still need to be cognizant that without proper configuration and management, their DNS infrastructures are likely to be vulnerable to attack and brittle in the face of common outages. All organizations should assess their DNS systems and immediately take the necessary steps to make them reliable and secure."

Cricket Liu's DNS Advisor Helps Organizations Identify Specific Vulnerabilities

Now available on the Infoblox website is the Cricket Liu DNS Advisor tool, designed to identify DNS infrastructure vulnerabilities and configuration deficiencies. The tool tests for a variety of DNS-related variables, including the following:

--  Single points of failure, which can compromise network availability;
--  Misconfigured or poorly operating name servers that can compromise
    network availability and pose a security risk;
--  Unsecured zone transfers that can expose name servers to denial of
    service attacks;
--  IP address/name inconsistency which can result in network management
    confusion;
--  Outdated BIND versions that leave networks vulnerable to a variety of
    known attacks; and
--  Unsecured recursive queries that leave name servers vulnerable to DNS
    cache poisoning and denial of service attacks.
    
According to Liu, there are several simple steps and deployment best practices that enterprises can take to address DNS vulnerabilities and configuration issues, such as those tested above:

1. On external authoritative name servers, disable recursion. On forwarders, allow only queries from your internal address space.

2. If you can't split your authoritative name servers and forwarders, restrict recursion as much as possible. Only allow recursive queries if they come from your internal address space.

3. Use hardened, secure appliances that enable easy upgrades instead of systems based on general-purpose servers and operating software applications.

4. Make sure you run the latest version of your domain name server software.

5. Filter traffic to and from your external name servers. Using either firewall- or router-based filters, ensure that only authorized traffic is allowed between your name servers and the Internet.

To view the complete "2006 DNS Report Card," access the Infoblox DNS Advisor Tool and find more DNS Best Practices to address vulnerabilities, visit: http://www.infoblox.com/library/dns_resources.cfm.

About Infoblox

Infoblox develops essential infrastructure used for establishing identity-driven networks (IDNs). Infoblox network identity appliances deliver nonstop DNS, DHCP, IPAM, RADIUS and related services with unparalleled reliability, manageability, scalability and security. Over 1,200 organizations worldwide, including many of the Fortune 500, use Infoblox solutions for the critical naming, authentication, authorization and IP management services that make their networks secure, robust, manageable and compliant. The company is headquartered in Santa Clara, CA and operates in more than 30 countries. For more information, call +1.408.625.4200, email info@infoblox.com, or visit www.infoblox.com.

About The Measurement Factory

The Measurement Factory provides a variety products and services related to Internet testing and measurement, with a current focus on DNS, HTTP, and ICAP. Most of the Factory's products are available under open-source licenses. For more information, call +1-303-938-6863, email info@measurement-factory.com, or visit www.measurement-factory.com.

Contact Information