25% Of DNS Servers Still Vulnerable To Kaminsky Flaw

Security researchers say that DNS will remain a primary exploit target because many people don't understand the Internet's domain name system.
The unprecedented effort led by security researcher Dan Kaminsky to fix flaws in the Internet's domain name system earlier this year was only partially successful.

One in four DNS servers still does not perform source port randomization, according to a study conducted by Infoblox, a networking appliance vendor, and the Measurement Factory, a performance-testing and protocol-compliance consultancy.

Randomizing the server port used to send and receive DNS requests is one of the ways to mitigate the risk of distributed denial-of-service attacks and DNS cache poisoning, which can lead to the misdelivery or hijacking of Internet traffic.

The study also found that more than 40% of Internet name servers still allow recursive queries, and 30% of DNS servers allow zone transfers to arbitrary requesters. Such servers also are vulnerable to DDoS and cache poisoning.

"DNS is going to continue to be a vector of exploit because people just don't understand it," said Paul Parisi, CTO of DNSstuff, a company that offers online network diagnostic services.

With regard to the Kaminsky DNS vulnerability, a DNSstuff online survey of server administrators found that 9.6% haven't patched yet and that 21.9% didn't know if they were patched.

Parisi considers this to be pretty remarkable given all the publicity the Kaminsky flaw received. "If anything was publicized, the Kaminsky vulnerability was," he said. "It points more to the black-box nature of DNS. People don't understand it."

Not all the survey's findings represent bad news, however. About 90% of name servers that run the Berkeley Internet name domain DNS server software are using the most recent version of BIND 9. And with instances of Microsoft DNS Server down to 0.17% this year from 2.7% in 2007, "usage of unsecure Microsoft DNS servers connected to the Internet is vanishing." Finally, support for the sender policy framework, a protocol to identify forged e-mail addresses, increased from 12.6% to 16.7%.