Domain Name System still at risk

Domain Name System still at risk


Global DNS is 'as vulnerable as ever', reports Infoblox

The Domain Name System (DNS) is still growing strongly, indicating the internet's expansion in terms of infrastructure, users, traffic and applications.

But the annual survey of domain name servers on the public internet by Infoblox suggests that the global DNS is as vulnerable as ever.

DNS servers map domain names to their specific IP address, directing internet inquiries to the appropriate location.

Domain name resolution conducted by these servers is required to perform any internet-related request.

Should an organisation's DNS systems fail, all internet functions, including email, web access, e-commerce and extranets, become unavailable.

The report showed that the DNS infrastructure is modernising and coalescing around the most recent versions of the Berkeley Internet Name Domain (Bind), the most commonly used DNS server software on the internet.

However, the DNS is still vulnerable as many DNS servers are left open to attack from several directions.

More than 50 per cent of internet name servers allow recursive queries, for example, which often require a name server to relay requests to other name servers.

This can leave name servers vulnerable to pharming attacks and allow those servers to be used in DNS amplification attacks that can take down important internet infrastructure.

"For the overall security of the internet, it is good to see movement away from Microsoft DNS Servers for external DNS as well as a growing trend to use the most recent versions of Bind," said Cricket Liu, vice president of architecture at Infoblox.

"However, even with growing adoption of more secure name servers, compromises of these systems are still occurring.

"Organisations need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages."

Infoblox reported that internet-facing DNS servers increased to 11.5 million, up from around nine million in 2006 and 7.5 million in 2005, and that use of Bind 9, the latest version, grew to 65 per cent in 2007, up from 61 per cent in 2006.

Furthermore, support for the Sender Policy Framework increased to 12.6 per cent in 2007, up from five per cent in 2006.

SPF allows software to identify and reject forged email addresses and indicates that organisations are taking email fraud seriously.