More than 1 million DNS servers still vulnerable to Kaminsky

By Shamus McGillicuddy, News Editor 12 Nov 2008 | SearchNetworking.com

Routing and switching news, advice and technical information Digg This!     StumbleUpon     Del.icio.us

Domain name system (DNS) servers are the address books of the Internet. They translate URLs into IP addresses, allowing clients and servers to communicate across the Internet.

In July, security expert Dan Kaminsky revealed that he had discovered a flaw in the DNS protocol. The DNS flaw allows hackers to impersonate any website and trap unsuspecting users. Hackers can also use the flaw to disrupt corporate operations by making the DNS system misdirect emails and website queries. Exploiting the flaw, hackers conduct a "cache poisoning" attack by flooding DNS servers with queries and tricking the servers into mistranslating a URL into another IP address. Kaminsky worked with DNS software vendors to create a patch for the flaw.

Nearly 11% of those DNS servers, about 1.3 million, are "trivially exploitable" by the Kaminsky vulnerability, Liu said. In other words, no one has bothered to patch them. "The scripts and Metasploits that are available out there would compromise a name server like that in as little as 10 seconds," he said. "So it's a pretty lousy result. On the other hand, maybe we should be pleased that [the rest] of the servers were patched over the last three months."

The first line of defense against the Kaminsky vulnerability is to reconfigure DNS servers to accept only non-recursive queries rather than recursive ones, Liu said. Recursive DNS servers will accept queries about any domain name from just about any source. Most DNS attacks rely on recursive queries to attack name servers. When servers are reconfigured for only non-recursive queries, the servers will respond only to queries about the domain name for which it is the authority.

More on DNS security Configuring DNS server properties How to patch Kaminsky's DNS vulnerability

Liu said that 44% of DNS servers are still configured for recursive queries, a slight improvement from 52% in 2007.

"Those open recursive name servers are at greater risk for cache poisoning," he said. "They're also easy to use in distributed denial-of-service attacks against people on the Internet."

The second line of defense against the Kaminsky vulnerability is the patch that configures DNS servers for query port randomization. Liu said this configuration instructs a server to send each query to a different random port, making it difficult for a hacker to spoof the server.

"The [hacker] would have to guess which port [the query] came from, and you would have to randomly try sending query responses to a lot of different source ports," Liu said.

The ultimate protection against Kaminsky and other vulnerabilities is to upgrade DNS servers to DNSSEC (DNS Security Extensions), a set of modifications to the DNS protocol that, when uploaded to the DNS server, improves security on DNS servers, Liu said. Unfortunately, DNS management is an afterthought in most organizations. DNSSEC adoption is still minuscule.

DNSstuff.com, a provider of online DNS management tools, recently conducted its own survey of about 450 of its users, according to Paul Parisi, DNSstuff CTO. Parisi said that 9.6% of his customers said they hadn't patched their servers for Kaminsky, and another 21.9% didn't know whether the servers were patched or not.

"That is pretty staggering, given our community," Parisi said. "These are the people who use our tools to manage DNS."

The cache poisoning that can result from the Kaminsky exploit is nevertheless a top concern, he said. The DNSstuff survey found that 44.1% of customers identified accuracy and relevance of DNS data as their biggest management challenge.

"There is a heightened awareness of it, but the survey shows that some people need some help managing it," Parisi said. "They need some best practices, and because DNS is something you touch infrequently, a lot of issues can come up with DNS just because of simple mistakes. There is a hunger out there for proper DNS reporting and management."

Let us know what you think about the story; email: Shamus McGillicuddy, News Editor

Tags: Network Security Best Practices and Products,  IP Networking,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Best Practices and Products 2010 predictions: What's the worst network security threat this year? Best of 2009: Computer networking advice Network security forecast 2010: Startups cash out, uber-devices step up Mobile computing security concerns lead to more IPS, SSL VPN spending How do I change my security setting to allow ActiveX? What are two common devices that control outbound network access? 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? IP Networking What is the difference between IP address and machine address? Frame relay vs. ATM networks: What's the difference? Best of 2009: Computer networking advice From slots to robots: Vegas resort runs it all on converged IP network What is the definition of ATM (Asynchronous Transfer Mode)? Do I have to disable DHCP on my router to create a DHCP server? Windows Server 2008 IP routing configuration: Static and dynamic RIPv2 What is IP? Connect your LAN to the Internet using static or dynamic NAT Using tracert and TTL to troubleshoot network connectivity problems

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anti-replay protocol  (SearchNetworking.com) dynamic packet filter  (SearchNetworking.com) HELLO packet  (SearchNetworking.com) packet filtering  (SearchNetworking.com) rule base  (SearchNetworking.com) stateful inspection  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary