DNS servers 'vulnerable to attack'

Web users are at risk of fraud because 20 percent of DNS servers are running out-of-date software and 75 percent are vulnerable to cache poisoning

Many DNS servers are wrongly configured or running out-of-date software, leaving them vulnerable to malicious attacks, according to a survey published on Monday.

The Measurement Factory, an Internet performance firm, warned that Internet Systems Consortium's BIND software, which performs the domain name resolution function, is out-of-date on a fifth of DNS servers — which underpin the Internet by translating domain names into IP addresses.

DNS servers which run BIND versions lower than 9 are 'opening the door' to pharming attacks through DNS cache poisoning, The Measurement Factory claimed.

DNS cache poisoning involves hacking into DNS servers and replacing the numeric addresses of legitimate Web sites with the addresses of malicious sites. Internet users are then redirected to fake Web pages where they may be asked for information such as bank account details or unwittingly have spyware installed on their PCs.

Thomas Kristensen, chief technical officer of security company Secunia, told ZDNet UK it was likely that 20 percent of DNS servers were running out-of-date software, as the survey claimed, but he downplayed the risk of vulnerabilities being exploited.

"It should be noted that the 8.x and 4.x versions [of BIND] aren't vulnerable as such, but they were designed in a manner which makes them unsuitable for use as forwarders in specific DNS server setups. If these servers are used in a setup where they are used as forwarders then it is possible to conduct cache poisoning attacks against them," said Kristensen.

Kristensen added that Internet Systems Consortium strongly recommends against using 4.X and 8.X versions of BIND as forwarders.

A DNS server stores the numerical addresses of legitimate Web sites in a cache. DNS forwarders will forward queries onto other name servers if it does not have the necessary information to resolve these requests itself.

This process is known as "recursive name service", as the DNS server will push its request up the hierarchy of DNS servers until it reaches one that can resolve it.

The Measurement Factory surveyed 1.3 million DNS servers, and found that more than three quarters of them allow recursive name service to "arbitrary queriers", rather than from trusted users. This will open a name server up to malicious attacks, according to the report.

In theory, once a malicious hacker has compromised one DNS server, it could use the recursive name service to force other DNS servers to contact the compromised server to resolve a request. Over time, this would allow the hacker to poison the caches of a large number of DNS servers, via the cache of one compromised machine.

Recursive name services should only be enabled on a DNS server for a restricted list of trusted requestors, according to Inblox, the infrastructure developer that commissioned the survey.

Kristensen concurred. "It is not a good idea to allow arbitrary people to do recursive queries as it makes cache poisoning and denial-of-service attacks much more likely. Generally, recursive queries should only be allowed from specific IP addresses."

ISPs should only provide DNS services to their own customers, according to Kristensen. "Generally, all users who connect to the Internet using other connections than leased lines and business class xDSL lines, are dynamically assigned IP addresses, gateways and DNS servers each time they log on," he said.

Malicious hackers who wanted to compromise DNS servers through the recursive name services feature would need to know how various DNS servers are linked together. They could do this by requesting a zone transfer — a query that asks a name server which other servers are contained within its 'zone'.

The Measurement Factory's survey found that over 40 percent of DNS servers also allow zone transfers from arbitrary queriers. The survey claims this exposes a name server to DoS attacks and gives attackers information about internal networks.

Secunia agreed this was also a bad idea.

"Opening a name server for zone transfers does very often expose an excessive amount of information about "secret" hosts, internal hosts, gateway configuration, and much more. This kind of information may prove very useful for a malicious person wishing to conduct an attack," Kristensen said.

Zone transfers should only be allowed by internally controlled secondary name servers, according to Secunia.

"Zone transfer is something that should only be used between trusted name servers for zones in which they are authoritative. Zone transfer is not the mechanism which should be used between untrusted name servers," said Kristensen.

Inblox has advised IT professionals to take these six steps to mitigate against DNS vulnerabilities:

  1. If possible, split external name servers into authoritative name servers and forwarders.

  3. On external authoritative name servers, disable recursion. On forwarders, allow only queries from your internal address space.
  4. If you can't split your authoritative name servers and forwarders, restrict recursion as much as possible. Only allow recursive queries if they come from your internal address space.
  5. Use hardened, secure appliances instead of systems based on general-purpose servers and operating software applications.
  6. Make sure you run the latest version of your domain name server software.
  7. Filter traffic to and from your external name servers. Using either firewall- or router-based filters, ensure that only authorized traffic is allowed between your name servers and the Internet.