Half of DNS servers vulnerable to attack

While security is improving, over 50 percent of Domain Name System servers are vulnerable to attack, according to security company Infoblox
Written by Colin Barker, Contributor

The security of DNS continues to be an issue for network administrators, despite the availability of more secure DNS servers such as BIND 9, according to a survey released on Monday by network appliance company, Infoblox.

According to the survey, DNS (Domain Name System)  infrastructure is modernising and coalescing around the most recent versions of BIND — a type of DNS server software. However, a problem Infoblox noted was that over 50 percent of DNS servers still allow recursion and zone transfers, "indicating that the global DNS system is as vulnerable as ever". Recursion can leave DNS systems vulnerable to DNS cache poisoning and amplification attacks that can "bring down major networks", said Infoblox.

The survey, conducted over the past three years, found the DNS system is growing overall, which is an indicator of internet growth in general.

At the same time, the use of BIND 9 DNS server code is increasing more quickly than other varieties of DNS server code. Infoblox considers BIND 9 more secure than older versions of BIND, as it "has a substantially better security track record ", according to Cricket Liu, Infoblox vice president of architecture.

Meanwhile, Microsoft DNS Server, which Infoblox considers a less secure type of DNS server code, has charted a continual rapid decline for three years. "Microsoft DNS Server's [market] share continued its dramatic decline, from about 4.6 percent to 2.7 percent," wrote Liu. "Perhaps this is because administrators have become warier of exposing the Microsoft DNS Server and Windows operating systems directly to the internet."

Microsoft DNS Server market share fell from 10 percent in 2005, to 4.6 percent in 2006, then to 2.7 percent in 2007, according to the survey. Infoblox said that its decreased use was a positive step.

The survey was based on a sample that included five percent of the IPv4 address space — nearly 80 million addresses.

Editorial standards