DNS Servers in Harm's Way
Security of Internet-facing Domain Name Service (DNS) servers often overlooked
November 19, 2007
Sometimes it takes a DNS attack for an organization to get serious about the security of its Internet-facing DNS name servers. Many of these servers today are still not properly secured or configured, security experts say, leaving them wide open for distributed denial-of-service (DDOS) and other types of attacks.
"There are many organizations who are still in the dark about managing their external DNS," says David Ulevitch, CEO of OpenDNS. "Just as people run firewalls and anti-spam systems, it's important for them to manage the DNS coming into, and leaving, their network.
"Many organizations today manage their internal DNS, but leave their Internet-facing DNS wide open to abuse their network and act as a vector for malicious activity," he says.
The widely anticipated DNSSec standard from the Internet Engineering Task Force (IETF) has yet to take off, and the Internet community has been nervously awaiting another big DNS attack like the one on the Internet's root servers in February. (See DNS Attack: Only a Warning Shot?.) And a new survey conducted by DNS vendor Infoblox and The Measurement Factory found that organizations aren't properly configuring their DNS servers for security. According to the survey -- the findings of which were released today -- DNSSec adoption is practically nonexistent, with .002 percent adoption among the sampling of servers in the study. And more than half of the servers allow risky recursive queries, and 31 percent, zone transfers -- two features that can be exploited by an attacker.
Infoblox, which took a random sampling of five percent of the IPv4 address space, estimates that there are 11.5 million DNS servers on the Internet today, up from 9 million last year.
The good news, says Cricket Liu, vice president of architecture for Infoblox, is that most of the servers his company studied were running the newest version of the DNS server platform BIND, version 9. Sixty-five percent were running BIND 9, versus 61 percent last year, according to the survey, he says. "That BIND 9 is in two thirds of the name servers is substantial," Liu says. "But I'm saddened by other things like recursion and open-zone transfers -- these are things that any admin could easily fix."
Infoblox's Lieu says the move to BIND 9 means better-secured DNS servers than its BIND 8 predecessor, since the Unix- and Linux-based DNS server platform was rebuilt from the ground up with security in mind.
But Thomas Ptacek, a principal with Matasano Security, disagrees. "BIND 9 is not more secure than BIND 8 -- both BIND 9 and BIND 8 are security disasters," he says. "BIND 9 is to DNS what Sendmail is to email -- an ancient, ugly, big, overly featured, designed-by-committee monstrosity that is a perennial target for hackers."
Ptacek says there are ways to configure BIND 9 for security, but a more secure option is the rival djbdns DNS server platform, which was built in response to BIND's security problems.
Although Ptacek says a server allowing recursive queries is no big security threat, Infoblox's Liu argues that this feature leaves DNS servers exposed to cache-poisoning and DDOS attacks. Recursive DNS lookup could let an attacker make a random name server query something on his behalf, he says. That lets DNS servers be used in DNS-amplification attacks that can basically take down a network, he says.
Zone transfers, meanwhile, copy DNS zone data from one DNS server to another, which also can be abused for a DDOS attack. "When someone says 30 percent of servers allow zone transfers, what they're really saying is 30 percent of DNS server administrators don't pay any attention to security," Matasano's Ptacek says. "A server that allows zone transfers allows random people to dump every name in the server to find machines to attack."
Meanwhile, security experts say the overall lack of DNSSec adoption today is due to the standard's inherent complexity, which has kept it off the radar screen for most organizations. Still, Mark Beckett, vice president of marketing for Secure64 Software, which includes DNSSec support in its DNS software, says some country-level domains are adopting the standard to shore up their DNS security. "Whether that extends to the root servers, the .coms and .nets, is unclear."
And much of the knowledge gap in DNS security is for administrative reasons, security analysts say. "DNS is a black art, and few have the skills and resources to do it well," says Robert Whiteley, Forrester Research. "And no one group consistently 'owns' it -- applications, networking, and server teams often own pieces of it, and it doesn’t receive appropriate funding because it’s a shared asset."
The result: DNS security can easily get overlooked. "I think the majority of companies will have to unfortunately suffer DNS failure or exploits before funds are made available to invest in proper DNS hardening," Whiteley says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like