Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/19/2007
07:02 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DNS Servers in Harm's Way

Security of Internet-facing Domain Name Service (DNS) servers often overlooked

Sometimes it takes a DNS attack for an organization to get serious about the security of its Internet-facing DNS name servers. Many of these servers today are still not properly secured or configured, security experts say, leaving them wide open for distributed denial-of-service (DDOS) and other types of attacks.

"There are many organizations who are still in the dark about managing their external DNS," says David Ulevitch, CEO of OpenDNS. "Just as people run firewalls and anti-spam systems, it's important for them to manage the DNS coming into, and leaving, their network.

"Many organizations today manage their internal DNS, but leave their Internet-facing DNS wide open to abuse their network and act as a vector for malicious activity," he says.

The widely anticipated DNSSec standard from the Internet Engineering Task Force (IETF) has yet to take off, and the Internet community has been nervously awaiting another big DNS attack like the one on the Internet's root servers in February. (See DNS Attack: Only a Warning Shot?.) And a new survey conducted by DNS vendor Infoblox and The Measurement Factory found that organizations aren't properly configuring their DNS servers for security. According to the survey -- the findings of which were released today -- DNSSec adoption is practically nonexistent, with .002 percent adoption among the sampling of servers in the study. And more than half of the servers allow risky recursive queries, and 31 percent, zone transfers -- two features that can be exploited by an attacker.

Infoblox, which took a random sampling of five percent of the IPv4 address space, estimates that there are 11.5 million DNS servers on the Internet today, up from 9 million last year.

The good news, says Cricket Liu, vice president of architecture for Infoblox, is that most of the servers his company studied were running the newest version of the DNS server platform BIND, version 9. Sixty-five percent were running BIND 9, versus 61 percent last year, according to the survey, he says. "That BIND 9 is in two thirds of the name servers is substantial," Liu says. "But I'm saddened by other things like recursion and open-zone transfers -- these are things that any admin could easily fix."

Infoblox's Lieu says the move to BIND 9 means better-secured DNS servers than its BIND 8 predecessor, since the Unix- and Linux-based DNS server platform was rebuilt from the ground up with security in mind.

But Thomas Ptacek, a principal with Matasano Security, disagrees. "BIND 9 is not more secure than BIND 8 -- both BIND 9 and BIND 8 are security disasters," he says. "BIND 9 is to DNS what Sendmail is to email -- an ancient, ugly, big, overly featured, designed-by-committee monstrosity that is a perennial target for hackers."

Ptacek says there are ways to configure BIND 9 for security, but a more secure option is the rival djbdns DNS server platform, which was built in response to BIND's security problems.

Although Ptacek says a server allowing recursive queries is no big security threat, Infoblox's Liu argues that this feature leaves DNS servers exposed to cache-poisoning and DDOS attacks. Recursive DNS lookup could let an attacker make a random name server query something on his behalf, he says. That lets DNS servers be used in DNS-amplification attacks that can basically take down a network, he says.

Zone transfers, meanwhile, copy DNS zone data from one DNS server to another, which also can be abused for a DDOS attack. "When someone says 30 percent of servers allow zone transfers, what they're really saying is 30 percent of DNS server administrators don't pay any attention to security," Matasano's Ptacek says. "A server that allows zone transfers allows random people to dump every name in the server to find machines to attack."

Meanwhile, security experts say the overall lack of DNSSec adoption today is due to the standard's inherent complexity, which has kept it off the radar screen for most organizations. Still, Mark Beckett, vice president of marketing for Secure64 Software, which includes DNSSec support in its DNS software, says some country-level domains are adopting the standard to shore up their DNS security. "Whether that extends to the root servers, the .coms and .nets, is unclear."

And much of the knowledge gap in DNS security is for administrative reasons, security analysts say. "DNS is a black art, and few have the skills and resources to do it well," says Robert Whiteley, Forrester Research. "And no one group consistently 'owns' it -- applications, networking, and server teams often own pieces of it, and it doesn’t receive appropriate funding because it’s a shared asset."

The result: DNS security can easily get overlooked. "I think the majority of companies will have to unfortunately suffer DNS failure or exploits before funds are made available to invest in proper DNS hardening," Whiteley says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Infoblox Inc.
  • Matasano Security LLC

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/28/2020
    The Problem with Artificial Intelligence in Security
    Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
    10 iOS Security Tips to Lock Down Your iPhone
    Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-6342
    PUBLISHED: 2020-05-28
    An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
    CVE-2020-11082
    PUBLISHED: 2020-05-28
    In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
    CVE-2020-5357
    PUBLISHED: 2020-05-28
    Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...
    CVE-2020-13660
    PUBLISHED: 2020-05-28
    CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
    CVE-2020-11079
    PUBLISHED: 2020-05-28
    node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.