DNS servers still vulnerable

Poor configuration is leaving DNS servers open to attack, but overall the system is growing and modernising, according to a new survey.

DNS servers are increasing and modernising, but many are still vulnerable to attacks, according to a new study.

The third annual survey conducted by Infoblox and the Measurement Factory looked at the state of Domain Name System (DNS) servers across the public internet by surveying 80 million named servers.

DNS servers map domain names to numeric IP addresses. If such systems fail - from a malware attack or server failure, for example - then a company's email and public-facing website will become unavailable.

According to the study, the DNS system is growing overall - showing that the public internet is experience growth. The internet-facing DNS server count jumped to 11.5 million this year, up from nine million in 2006.

"An increase was expected, but the actual number is a surprise - it's a pretty substantial increase," said Cricket Liu, vice president of architecture at Infoblox.

The use of the BIND 9 - the recent version of Berkeley Internet Name Domain, the most common DNS server on the internet - is at 65 per cent this year, up from 61 per cent last year, showing that organisations are upgrading.

The use of Microsoft's DNS server fell to 2.7 per cent from five per cent last year, which the report said reflects concerns around exposing Microsoft Windows servers to the public internet. Liu said that trend runs counter to internal trends, with more internal servers still running the Microsoft DNS server. "It's not really well equipped to be run on the internet," he said. "This is an admission there's better choices."

The survey also found an increase to 12.6 per cent in the use of the Sender Policy Framework (SPF), a system for authenticating email. The more systems use SPF, the better it works, explained Liu. "Uptake has been pretty spotty," he said. "One out of 20 is not worth that much. I was amazed by the increase...it will create a snowball effect, as one-eighth is a lot of value."

But that's the good news. On the downside, the survey found that 31 per cent of DNS servers allowed zone transfers to arbitrary requestors, which could allow for denial of service attacks.

The survey also showed that half of internet name servers still allow recursive queries, which leaves such servers open to pharming attacks and amplification attacks. "In a perfect world, you should see zero," said Liu. But he added that BIND allows for recursion restriction, so people are simply failing to configure properly.

"Generally speaking, within a large organisation, one or two people know about DNS," said Liu. "Those people who are entrust with that responsibility need to keep up."

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
EU plans to launch bloc-wide cyber task force
cyber attacks

EU plans to launch bloc-wide cyber task force

22 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021