Some 14%, of the Fortune 1000 top US companies run a version of BIND (Berkeley Internet Name Domain) DNS (Domain Name System) software with known vulnerabilities, according to a test conducted last week by consultancy firm Men & Mice.
About half of the vulnerable companies run BIND 9 prior to version 9.2.1. Last week these were found to be vulnerable to a denial-of-service attack. The US Computer Emergency Response Team (CERT) warned of the flaw and urged users to either apply a patch or upgrade to BIND 9.2.1, which was released on 1 May. BIND is distributed for free by the Internet Software Consortium.
The consequences of Bind vulnerabilities are serious. If all a company's DNS servers go down, the company would, effectively, disappear from the Internet. Its Web site would become unreachable and inbound e-mail sent to the affected domain would bounce back.
Experts advise users to diversify and to ensure that DNS servers are located in different network segments.
"Having some of the name servers running a vulnerable version of BIND constitutes a security threat; having all the name servers run vulnerable BIND is a severe security threat that could turn into a million-dollar disaster," said Men & Mice chief executive officer Petur Petursson, adding that 35 of the Fortune 1000 use multiple vulnerable BIND versions.
Most DNS servers run BIND, and this lack of diversity makes DNS a weak link in the Internet's infrastructure, according to Men & Mice. The Internet Corporation for Assigned Names and Numbers (ICANN), the organisation that oversees the Internet's addressing system, has formed a security committee aimed, in part, at examining DNS security holes.