Study: Most Organizations Still Vulnerable To DNS Cache-Poisoning Attacks

DNSSEC might finally be making progress at the top-level domains, but a new study shows overall adoption still represents only a tiny fraction of the Internet, leaving most organizations still at risk of DNS cache-poisoning attacks.

Less than 0.02 percent of DNS zones are DNSSEC-enabled, and 96 percent of these failed validation because their DNSSEC signatures had expired, according to data gathered by Infoblox and The Measurement Factory.

DNSSEC is considered the best defense against DNS cache-poisoning threats first brought to light more than a year ago by renown researcher Dan Kaminsky. While the Infoblox IP survey found DNSSEC adoption has jumped 340 percent this year, it still has a long way to go.

Cricket Liu, vice president of architecture at Infoblox and a DNS expert, says the survey also took a first look at whether the existing DNSSEC implementations out there were up and running. "The surprising thing about DNSSEC adoption is we saw numbers continue to go up ... but from minuscule to less-minuscule rates," Liu says. "This was the first time we took a look at the ability to validate data in those DNSSEC signed zones, and almost 25 percent failed validation because of expired signatures. That was disappointing."

He says the takeaway is that some of these organizations might have been testing DNSSEC as an experiment. "What this says is that with some tools DNSSEC can be hard to do," he says. "With one-fourth of the zones expired, that shows that resigning with DNSSEC isn't automatic ... and people set it up once to experiment with it, and then walked away."

Kaminsky, meanwhile, has been working to make DNSSEC deployment simpler. He recently released a free toolkit called Phreebird Suite 1.0 that lets organizations test-drive DNSSEC deployment and also demonstrates his claims that the protocol is not difficult to implement. Phreebird Suite 1.0 is a real-time DNSSEC proxy that sits in front of a DNS server and digitally signs its responses.

The Infoblox survey also found nearly 75 percent of all DNS name servers reside in a single authoritative zone, leaving them open to a single point of failure. "This is a very bad thing," Liu says. If there were to be a problem or fault in the routing infrastructure, they could lose their Internet presence.

Still missing from some networks are the basic network configurations needed for DNSSEC, Liu says: Nearly 20 percent of name servers don't allow TCP queries, and 26.4 percent don't support the Extended Mechanisms for DNS protocol.

Infoblox recommends organizations prepare for DNSSEC adoption and upgrade to the newest version of BIND, use port randomization,separate internal and external name servers, and separate authoritative and recursive DNS name servers. For more information on DNS best practices, visit this site.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.