From the Experts
From the Security Experts
November 18, 2009
DNS Survey Reveals Internet Security Vulnerabilities
SIP Trunking Report Contributor
Infoblox and The Measurement Factory recently
made public the results
of its fifth annual study of domain name surveys on the Internet.
The results reveal that use of Microsoft DNS Servers for external DNS is almost negligible. Several businesses have recognized the security vulnerabilities involved and moved to a more secure option. One potential vulnerability has been addressed but another has loomed large.
The survey results indicate that there has been a mass proliferation in the percentage of external name servers that allow open access to intruders. These external servers depict a major risk to the Internet because they can be used as vehicles of malice to implement distributed denial of service (DDoS) attacks.
Cricket Liu, vice president of architecture at Infoblox and author of O'Reilly & Associates' DNS and BIND, DNS & BIND Cookbook, elaborated.
"Of particular interest is the enormous growth in the number of Internet-connected name servers, largely attributable to the introduction by carriers of customer premises equipment (CPE) with embedded DNS functionality,” Liu said. “This equipment represents a significant risk to the rest of the Internet, as without proper access controls, it facilitates enormous DDoS attacks."
DNS Servers are network infrastructure that define domain names to IP addresses and route Internet queries to the correct location. Domain name resolution is essential to complete any Internet request. If an enterprise’s DNS system is subjected to attack, the results could be catastrophic causing loss of its web presence, inability of employees to access external web services and redirection of web and mail traffic to malicious sites. The last will result in data loss, identity theft, ecommerce fraud and much more.
The fifth annual DNS survey covered five percent of the IPV4 addresses -- or nearly 80 million web addresses. It assigned positive, negative and neutral ratings to various results achieved.
The survey deemed neutral the fact that there were an estimated 16.3 million name servers on the Internet – a 40 percent jump in a two-year period. This was mainly on account of a proliferation of new age, proxy DNS servers built into broadband access devices or customer premises equipment. What was termed ‘Very Disturbing’ was that 79.6 percent of all name servers were susceptible to malicious attacks. This was a 27 percent increase over the last two years, mainly on account of an increase in proxy DNS servers in CPE. These name servers can be used to launch DDoS attacks.
There were some positive outcomes as well. The decline of the number of Microsoft DNS servers and the decrease in the percentage of zones that had one or more name servers available for zone transfers made networks less susceptible to DDoS attacks. DNSSEC zones increased by 300 percent which also signaled a positive trend in DNSSEC uptake.
Organizations need to better evaluate their DNS framework and undertake appropriate initiatives to safeguard them from attacks, researchers said.
Carolyn John is a Contributor to TMCnet. To read more of her articles, please