DNS servers still pose major security risks

DNS servers still remain vulnerable to attack despite a marked improvement in recent years.

Infoblox and The Measurement Factory have announced the results from their third-annual survey of domain name servers on the public internet.

DNS servers are essential network infrastructure that map domain names to IP addresses, directing internet inquiries to the appropriate location.

The survey found that many DNS servers still allow recursion and zone transfers, indicating that the global DNS system is as vulnerable as ever.

"For the overall security of the internet, it is good to see movement away from Microsoft DNS Servers for external DNS, as well as a growing trend to use the most recent versions of BIND, which are more secure," said Cricket Liu, vice-president of architecture at Infoblox.

"However, even with growing adoption of more secure name servers, compromises of these systems are still occurring and organisations need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages."

He said, "Instead of waiting until they are attacked, all organisations should assess their DNS infrastructure and immediately take the necessary steps to make them more reliable and secure."

The survey found that usage of the Microsoft DNS Server platform was cut in half (a decrease to 2.7% from 5% in 2006 and 10% in 2005).

The significant reduction in usage of the Microsoft DNS server system reflects concerns over risks associated with deploying Microsoft Windows servers that are exposed to the public internet, said the researchers.

But more than 50% of internet name servers allow recursive queries. This form of name resolution often requires a name server to relay requests to other name servers, which can leave name servers vulnerable to pharming attacks, and allow those servers to be used in DNS amplification attacks that can take down important internet infrastructure.

And DNS servers surveyed allowing zone transfers to arbitrary requestors grew to 31% in 2007 (up from 29% in 2006). Allowing zone transfers to arbitrary queriers enables duplication of an entire segment of an organisation's DNS data from one DNS server to another, and can leave them as easy targets for denial-of-service attacks.