25% Of DNS Servers Still Vulnerable To Kaminsky Flaw

Security researchers say that DNS will remain a primary exploit target because many people don't understand the Internet's domain name system.

Thomas Claburn, Editor at Large, Enterprise Mobility

November 11, 2008

2 Min Read

The unprecedented effort led by security researcher Dan Kaminsky to fix flaws in the Internet's domain name system earlier this year was only partially successful.

One in four DNS servers still does not perform source port randomization, according to a study conducted by Infoblox, a networking appliance vendor, and the Measurement Factory, a performance-testing and protocol-compliance consultancy.

Randomizing the server port used to send and receive DNS requests is one of the ways to mitigate the risk of distributed denial-of-service attacks and DNS cache poisoning, which can lead to the misdelivery or hijacking of Internet traffic.

The study also found that more than 40% of Internet name servers still allow recursive queries, and 30% of DNS servers allow zone transfers to arbitrary requesters. Such servers also are vulnerable to DDoS and cache poisoning.

"DNS is going to continue to be a vector of exploit because people just don't understand it," said Paul Parisi, CTO of DNSstuff, a company that offers online network diagnostic services.

With regard to the Kaminsky DNS vulnerability, a DNSstuff online survey of server administrators found that 9.6% haven't patched yet and that 21.9% didn't know if they were patched.

Parisi considers this to be pretty remarkable given all the publicity the Kaminsky flaw received. "If anything was publicized, the Kaminsky vulnerability was," he said. "It points more to the black-box nature of DNS. People don't understand it."

Not all the survey's findings represent bad news, however. About 90% of name servers that run the Berkeley Internet name domain DNS server software are using the most recent version of BIND 9. And with instances of Microsoft DNS Server down to 0.17% this year from 2.7% in 2007, "usage of unsecure Microsoft DNS servers connected to the Internet is vanishing." Finally, support for the sender policy framework, a protocol to identify forged e-mail addresses, increased from 12.6% to 16.7%.

Read more about:


About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights