DNS servers still vulnerable
Poor configuration is leaving DNS servers open to attack, but overall the system is growing and modernising, according to a new survey.
DNS servers are increasing and modernising, but many are still vulnerable to attacks, according to a new study.
DNS servers map domain names to numeric IP addresses. If such systems fail - from a malware attack or server failure, for example - then a company's email and public-facing website will become unavailable.
According to the study, the DNS system is growing overall - showing that the public internet is experience growth. The internet-facing DNS server count jumped to 11.5 million this year, up from nine million in 2006.
"An increase was expected, but the actual number is a surprise - it's a pretty substantial increase," said Cricket Liu, vice president of architecture at Infoblox.
The use of the BIND 9 - the recent version of Berkeley Internet Name Domain, the most common DNS server on the internet - is at 65 per cent this year, up from 61 per cent last year, showing that organisations are upgrading.
The use of Microsoft's DNS server fell to 2.7 per cent from five per cent last year, which the report said reflects concerns around exposing Microsoft Windows servers to the public internet. Liu said that trend runs counter to internal trends, with more internal servers still running the Microsoft DNS server. "It's not really well equipped to be run on the internet," he said. "This is an admission there's better choices."
The survey also found an increase to 12.6 per cent in the use of the Sender Policy Framework (SPF), a system for authenticating email. The more systems use SPF, the better it works, explained Liu. "Uptake has been pretty spotty," he said. "One out of 20 is not worth that much. I was amazed by the increase...it will create a snowball effect, as one-eighth is a lot of value."
But that's the good news. On the downside, the survey found that 31 per cent of DNS servers allowed zone transfers to arbitrary requestors, which could allow for denial of service attacks.
The survey also showed that half of internet name servers still allow recursive queries, which leaves such servers open to pharming attacks and amplification attacks. "In a perfect world, you should see zero," said Liu. But he added that BIND allows for recursion restriction, so people are simply failing to configure properly.
"Generally speaking, within a large organisation, one or two people know about DNS," said Liu. "Those people who are entrust with that responsibility need to keep up."
Consumer choice and the payment experience
A software provider's guide to getting, growing, and keeping customersDownload now
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email securityDownload now
Business in the new economy landscape
How we coped with 2020 and looking ahead to a brighter 2021Download now
How to increase cyber resilience within your organisation
Cyber resilience for dummiesDownload now