DNS servers still vulnerable

DNS servers are increasing and modernising, but many are still vulnerable to attacks, according to a new study.

The third annual survey conducted by Infoblox and the Measurement Factory looked at the state of Domain Name System (DNS) servers across the public internet by surveying 80 million named servers.

DNS servers map domain names to numeric IP addresses. If such systems fail - from a malware attack or server failure, for example - then a company's email and public-facing website will become unavailable.

According to the study, the DNS system is growing overall - showing that the public internet is experience growth. The internet-facing DNS server count jumped to 11.5 million this year, up from nine million in 2006.

"An increase was expected, but the actual number is a surprise - it's a pretty substantial increase," said Cricket Liu, vice president of architecture at Infoblox.

The use of the BIND 9 - the recent version of Berkeley Internet Name Domain, the most common DNS server on the internet - is at 65 per cent this year, up from 61 per cent last year, showing that organisations are upgrading.

The use of Microsoft's DNS server fell to 2.7 per cent from five per cent last year, which the report said reflects concerns around exposing Microsoft Windows servers to the public internet. Liu said that trend runs counter to internal trends, with more internal servers still running the Microsoft DNS server. "It's not really well equipped to be run on the internet," he said. "This is an admission there's better choices."

The survey also found an increase to 12.6 per cent in the use of the Sender Policy Framework (SPF), a system for authenticating email. The more systems use SPF, the better it works, explained Liu. "Uptake has been pretty spotty," he said. "One out of 20 is not worth that much. I was amazed by the increase...it will create a snowball effect, as one-eighth is a lot of value."

But that's the good news. On the downside, the survey found that 31 per cent of DNS servers allowed zone transfers to arbitrary requestors, which could allow for denial of service attacks.

The survey also showed that half of internet name servers still allow recursive queries, which leaves such servers open to pharming attacks and amplification attacks. "In a perfect world, you should see zero," said Liu. But he added that BIND allows for recursion restriction, so people are simply failing to configure properly.

"Generally speaking, within a large organisation, one or two people know about DNS," said Liu. "Those people who are entrust with that responsibility need to keep up."