Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


December 05, 2007

Survey Shows DNS Servers’ Configuration Errors Still Widespread

A Web Exclusive from Windows IT Pro
Todd Erickson
Industry Bytes
InstantDoc #97732
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More News and Analysis Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
back to blog index

Configuration errors are exposing millions of DNS servers to Denial of Service (DoS) attacks and other security threats, a survey by Infoblox and The Measurement Factory has found. Despite how easily administrators could correct these configuration errors, more than 50 percent of the Internet’s DNS servers remain vulnerable to a variety of attacks, according to the random survey of 5 percent—or approximately 88.4 million—of IPv4 address servers.

Infoblox, a supplier of core network service appliances, and The Measurement Factory, a provider of Internet testing and measurement products and services, has conducted the survey for three years. The survey randomly selects 5 percent of the advertised address space from the global routing table of the University of Oregon Route Views project. The survey sends standard queries to the servers to probe software and configuration metrics. To avoid the appearance of Black Hat network probing, Infoblox and The Measurement Factory publish the source IP addresses on their Web sites.

The two queries Infoblox and The Measurement Factory used to determine configuration errors were for recursive queries and zone transfers.

A recursive query requires a name server to relay requests to other name servers. If a server allows recursive queries, it ties up the server’s computing resources. A name server also has a limit to the number of recursive queries it can handle, so once the number of queries reaches that limit, the server will reject any traffic flowing its way. Someone can literally stop a name server from operating by flooding the server with recursive queries until it reaches its limit and starts rejecting valid requests. Allowing recursive queries exposes servers to pharming attacks, cache poisoning, and DoS attacks, and allows those servers to be used in DNS amplification attacks.

The survey found that over 52 percent of public DNS servers allowed recursive queries—findings similar to those of the 2006 study. “Ideally, in a perfect world, no name servers out there on the Internet would do that for us, said Cricket Liu, Infoblox’s vice president of architecture, and author of DNS and BIND, DNS & BIND Cookbook, and DNS on Windows Server 2003 (O’Reilly & Associates). “Because we are just coming in from some random-source IP address, and those name servers have no relationship to us, they should refuse to offer recursive name service to us,” Liu said.

If servers allow zone transfers to arbitrary queries, those servers’ DNS data can be duplicated to another DNS server, which can subject the servers to DoS attacks. The number of DNS servers that allowed zone transfers grew from 29 percent in 2006 to 31 percent in 2007.

Not all the news from the survey results was bad news. The survey found that the Internet infrastructure continues to grow at a healthy rate.

The number of name servers grew from 9 million in 2006 to approximately 11.7 million in 2007—a 30 percent increase, and a 56 percent increase from the 7.5 million name servers found in 2005. Liu said the increased number of DNS servers is an indication of how important DNS has become. “You probably wouldn’t find as many of almost any other kind of server out there,” Liu said, “even Web servers, for that matter.”

BIND 9 is the most prevalent DNS software by far, running on 65 percent of the public name servers, up from 61 percent in 2006 and 58 percent in 2005. The second most popular software is actually the previous version of BIND, BIND 8, running on 5.6 percent of DNS servers, down from 14 percent in 2006, and 20 percent in 2005. BIND 8 was declared End of Life (EOL) on August 27, 2007.

According to the survey, the use of Microsoft DNS Server decreased by almost half in 2007. Only 2.7 percent of public name servers ran Microsoft, compared with 5 percent in 2006 and 10 percent in 2005. Liu said this finding is completely counter to what he sees internally at 80 percent of large organizations and companies in the United States. “I think that most people are very leery of running [Microsoft DNS servers] externally where they are directly exposed to the Internet because of the difficulty of running Windows servers securely when they are directly accessible [through the Internet].”

To view the entire results of the DNS server survey, click here.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.





Search Industry Bytes
 
Industry Bytes
SEPTEMBER 2008
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30     
or

 Recently in Industry Bytes
Review: Canary Wireless Digital Hotspotter HS20
Make a Comment
Special Delivery: Malware

Last Comment
Aside from the usual fake sender Email address, most shipping countries have lengthy invoice numbers...
(1 Comments)
Maintaining Security in a Tight Economy
Make a Comment
Americans Aren't Necessarily Walking the Talk When It Comes to Going Green
Make a Comment
How to Keep a Network Admin From Going Postal
Make a Comment

More blogs about technology,
software, and Windows.

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

IT Connections
Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Get SQL Server 2008 at WinConnections
Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.



Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing