The discovery of a major DNS flaw in mid-2008 landed the technology in many headlines, but with economic concerns weighing on many in IT, industry watchers worry that revamping systems and security around domain name servers could be put on hold in 2009.
The vulnerability discovered by director of penetration testing at IOActive, Dan Kaminsky motivated numerous vendors to upgrade their products to protect enterprise networks against cache poisoning and other DNS attacks, such as distributed denial-of-service (DDoS). IT directors were encouraged to upgrade their DNS systems to guard against potential threats, but a survey by The Measurement Group revealed that about 25% of servers had yet to be upgraded by mid-November. Now, with the year coming to a close, DNS experts worry the projects will take a back seat to cost-cutting measures.
"These name servers are trivially vulnerable to the Kaminsky attack. With an effective exploit script, a hacker can insert arbitrary data into the cache of one of these names servers in about 10 seconds," says Cricket Liu, vice president of architecture at Infoblox.
A separate survey of 466 enterprise online customers conducted by DNSstuff in September revealed that 9.6% hadn't patched their DNS servers and 21.9% didn't know if they were patched. The findings show that despite the DNS community's and several vendors' efforts, a significant number of server administrators have yet to take action. As for the reasons behind the lack of patches, more than 45% cited a lack of internal resources, 30% said they were unaware of the vulnerability and 24% reported they didn't have enough knowledge of DNS to take the appropriate steps. DNSstuff's customer research also found that the most common DNS issues among respondents include e-mail downtime for 69%, DDoS attacks and cache-poisoning attacks for nearly half and spoofing for 18.5%.
That's why the IP address management vendor is looking to dispel what it calls a handful of myths around DNS and get people paying attention to the technology in 2009, despite economic worries.
For one, Infoblox says there is a misconception that DNS is a trivial part of the network. It performs a critical function by mapping domain names to IP addresses and directing Internet inquiries to the appropriate location. "Should an enterprise's DNS systems fail ... all Internet functions, including e-mail, Web access, e-commerce and extranets become unavailable," according to Infoblox.
Secondly, the belief that any version of BIND will protect name serving machines on the Internet is false, according to Infoblox. BIND version 9 is a major rewrite of the Berkeley Internet Name Domain and includes DNS security and protocol enhancements, as well as support for IPv6.
Another misconception regarding BIND is that organizations using version 9 are safe from attacks due to the Kaminsky vulnerability. Infoblox's Liu says that is untrue. "Even running the most recent version of BIND, many organizations have not taken the necessary precautions to limit access to recursion or secure zone transfers," he says.
Lastly, the belief that upgrading DNS needs to be put off until IT can gain budget approval is false. It is possible to test the system to learn of any vulnerability and upgrade the DNS server with tools available for free download.
Recursive name servers can be tested for the Kaminsky vulnerability at doxpara.com, www.dnsadvisor.com or using DNS-OARC's port testing tool. If the servers are found to be vulnerable, Infoblox suggests moving the name server to one that uses query port randomization or move to another name server that does support it.
"Even if an enterprise has gone to the trouble of patching against the Kaminsky vulnerability, there are many other aspects of configuration, like recursion and open zone transfers, that should also be secured," Liu says. "Organizations clearly need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages."