Categories

• Automation
• Compliance
• Consolidation
• Data Protection
• Networking News
• News
• RAID
• Security News
• Sencilo News
• Storage News
• Uncategorized
• Vendor News
• Virtualization

Archived by Date

• June 2011
• May 2011
• April 2011
• March 2011
• January 2011
• December 2010
• November 2010
• October 2010
• September 2010
• August 2010
• July 2010
• June 2010
• May 2010
• April 2010
• March 2010
• February 2010
• January 2010
• December 2009
• November 2009
• October 2009
• September 2009
• June 2009
• May 2009
• April 2009
• March 2009
• February 2009
• January 2009
• December 2008
• November 2008
• October 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008

DNS Survey Reveals Many Systems Still Vulnerable to Attacks Despite Some Marked Improvements - January 31, 2008

Infoblox Inc., a developer of appliances that deliver “utility-grade” core network services, and The Measurement Factory, experts in performance testing and protocol compliance, today announced results from the third-annual survey of domain name servers on the public Internet.

DNS servers are essential network infrastructure that map domain names (e.g., yahoo.com) to IP addresses (e.g., 66.94.234.13), directing Internet inquiries to the appropriate location. Domain name resolution conducted by these servers is required to perform any Internet-related request. Should an enterprise or organization’s DNS systems fail, all Internet functions, including email, web access, e-commerce, and extranets become unavailable.

Overall, results indicate that the number of DNS systems is increasing, which is a good indicator of Internet growth in terms of infrastructure, users, traffic and applications. Also on a positive note, results indicate that the DNS infrastructure is modernizing and coalescing around the most recent versions of BIND. Further, there is a real indication of interest in fighting spam. However, many DNS servers still allow recursion and zone transfers, indicating that the global DNS system is as vulnerable as ever.

“For the overall security of the Internet, it is good to see movement away from Microsoft DNS Servers for external DNS as well as a growing trend to use the most recent versions of BIND, which are more secure,” Cricket Liu, vice president of architecture at Infoblox and author of O’Reilly & Associates’ DNS and BIND, DNS & BIND Cookbook, and DNS On Windows Server 2003, commented. “However, even with growing adoption of more secure name servers, compromises of these systems are still occurring and organizations need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages. Instead of waiting until they are attacked, all organizations should assess their DNS infrastructure and immediately take the necessary steps to make them more reliable and secure.”

Following are the key 2007 DNS survey results, which are based on a sample that included 5 percent of the IPv4 address space, nearly 80 million addresses.

The Good News
Overall growth and modernization of DNS systems improves security and availability. Further, there is a real indication of interest in fighting spam.

• The Internet-facing DNS server count increased to 11.5 million (up from ~9 million in 2006 and 7.5 million in 2005) – The domain name system is growing, a good indicator of the overall growth of the Internet, users, traffic and applications.

• BIND 9 usage grew to 65% in 2007 (up from 61% in 2006 and 58% in 2005) – The growing use of the most recent and secure version of open-source domain name server software indicates that organizations are paying attention to the version of BIND they are running and that they are increasingly aware of related security issues.

• BIND 8 usage decreased to 5.6% in 2007 (down from 14% in 2006 and 20% in 2005) – The decreased usage of BIND 8 – an older version recently “end-of-lifed” by ISC – by almost two-thirds year-over-year, indicates that many organizations are making the effort to deploy the most reliable and secure DNS implementations and are making the global DNS infrastructure more secure.

• Usage of the Microsoft DNS Server cut in half (a decrease to 2.7% from 5% in 2006 and 10% in 2005) – The significant reduction in usage of the Microsoft DNS Server by nearly one-half reflects concerns over risks associated with deploying Microsoft Windows servers that are exposed to the public Internet.

• Support for SPF increased to 12.6% in 2007 (up from 5% of the zones sampled in 2006) – This increase in usage of SPF (the Sender Policy Framework) increases the effectiveness of the technology, and indicates that organizations are taking email fraud seriously.

The Bad News
Continued deployment and configuration mistakes are leaving the global DNS system as vulnerable as ever.

• Still more than 50% of Internet name servers allow recursive queries (consistent with 2006) – This form of name resolution often requires a name server to relay requests to other name servers, which can leave name servers vulnerable to pharming attacks and allow those servers to be used in DNS amplification attacks that can take down important Internet infrastructure.

• DNS servers surveyed allowing zone transfers to arbitrary requestors grew to 31% in 2007 (up from 29% in 2006) – Allowing zone transfers to arbitrary queriers enables duplication of an entire segment of an organization’s DNS data from one DNS server to another and can leave them as easy targets for denial-of-service attacks.

• Still ~75% of zones surveyed have low expire values and almost 78% still use negative-caching TTL settings outside the suggested range of one to three hours – These figures, consistent with 2006, indicate that many DNS servers are not configured correctly, which can significantly increases the risk of service outages to an organization.

• Only .002% of zones tested support DNSSEC – Limited adoption of DNSSEC, the IETF standard that adds cryptographic authentication and integrity checking to DNS, indicates that administrators are not convinced of its importance, are perhaps intimidated by its complexity, and that the standard seems unlikely to succeed on its own merits as a means to improve DNS security.  

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/security-threat-management.php

About Sencilo Solutions

Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Miami, Tampa, St. Petersburg, Orlando, Hialeah, Fort Lauderdale, Tallahassee, Cape Coral, and Pembroke Pines.