Measuring (not so) recent BIND nameserver patching

Guest editorial by Derek Callaway

In an interview with Dark Reading at BlackHat Las Vegas 2008, Kaminsky estimated that between 60 and 70 percent of Fortune 500 companies have patched -- but what about the rest of the Internet? Originally, I considered executing nameserver version query sweeps against only U.S. government networks, but I decided not to as I figured I would already be turning enough heads as it is.

[ SEE: Vulnerability disclosure gone awry: Understanding the DNS debacle ]

A number of assumptions have been made throughout this research:

1. That the version number and patch level advertised by the nameserver is correct.
2. That properly patched nameservers are not still vulnerable as a result of gateway device Port Address Translation.
3. That the domain names retrieved from the Open Directory Project are served by a representative sample of BIND nameservers as a whole.

Therefore, the measurements provided should only be treated as what they are -- rough estimates. To that end, I wrote a bash shell script that: downloads the content file from the Open Directory Project, parses out random domain names that have three character top-level domains, sends a version query to the nameserver(s) authoritative for each domain, compares the result of the query to BIND version numbers with and without the fix, continues this process until 1,000 unique domain names have been tested, and calculates statistics based on the results. Note that invalid version query responses such as timeouts and strings that do not adhere to BIND version numbering cause a domain to be discarded.

[ SEE: Attack code published for DNS flaw ]

Here's what I found:

First, let me define a few terms to describe my findings. Un-Patched means that the domain had at least one nameserver that was not patched to address the DNS cache poisoning vulnerability; therefore, in all likelyhood it is vulnerable to CVE-2008-1447. In this research, Out-Dated means that the domain had at least one nameserver that hasn't been updated for over a year so, in addition to CVE-2008-1447, it's vulnerable to issues from previous CERT advisories. Dinosaur describes a domain with a nameserver that was last updated during or before the year 2002. Up-To-Date means that the domain is not vulnerable to any publicly known vulnerabilities, including Kaminsky's bug from CVE-2008-1447 because all of the nameservers responsible for it have been recently updated.

As matters stand, according to the aforementioned definitions:

• 950 domains were vulnerable
  • Un-Patched: 319
  • Out-Dated: 593
  • Dinosaurs: 38

• 336 domains had a nameserver that performed recursive queries
  • Of these, 327 were vulnerable to cache poisoning

• 69 domains had a nameserver performed zone transfers

• 50 domains were Up-To-Date

A previous test run yielded similar results so I feel that these numbers are a decent estimation. Again, the domains that were a part of this experiment only have nameservers that respond with the default VERSION.BIND string. Still, this is quite a patching deficiency when taking into account that this is a major security hole in the Internet infrastructure that received significant media attention and well over a month has passed since patches were released.

Here's how I did it.  Here's the output from the shell script. Here is the output from all the executions of the tool by the shell script.

* Derek Callaway is a computer programmer and security analyst.  When he's not analyzing applications, system architecture, or penetration testing, his preferred areas of study are vulnerability research and security tool development.  He is currently part of the development team for a dynamic binary analysis tool at Security Objectives.