Are your external DNS servers running the latest software, and are they configured correctly? Infoblox and The Measurement Factory asked these questions of DNS servers on the Internet and found good news and bad news. Some good news is that 65 percent of the name servers were running BIND 9, the most recent and most secure version of the Internet Systems Consortium's (ISC's) DNS implementation. This is an increase of 4 percent from last year. Some bad news is that about 50 percent of the name servers allowed recursive queries from any IP address, which leaves the servers open to pharming and to serving as amplifiers in a Distributed Denial of Service (DDoS) attack against another server.
Cricket Liu, VP of architecture at Infoblox and author of several books about DNS, BIND, and Microsoft's DNS server, described the survey method and results. Infoblox, which makes solutions that provide core network services such as DNS, DHCP, and IP address management, and The Measurement Factory, which provides products and services related to Internet testing and measurement, sent queries to 5 percent of the Internet address space (80 million addresses). The queries first determined how many of the addresses were held by DNS servers. In this third annual survey, the results showed 11.5 million name servers, up from 9 million in 2006 and 7.5 million in 2005. Liu called this a "healthy increase" that "shows how important name servers are."
The survey also has a fingerprinting component that can determine a DNS server's software by looking at how the server responds to queries. In addition to the good news that BIND 9 implementations have increased slightly (to 65 percent), the survey found that instances of the less-secure BIND 8 software had decreased from 14 percent last year to 5.6 percent this year. Liu termed this a "precipitous falloff." Microsoft DNS server implementations declined from 5 percent last year to 2.7 percent this year. Liu considers Microsoft DNS to be difficult to secure for Internet use, so he was pleased that use of this software and the BIND 8 software had decreased so significantly. It's not clear from the survey results what all the servers that quit using Microsoft DNS and BIND 8 are doing. Some probably account for the increase in BIND 9 implementations and some probably switched to using other software that the fingerprinting component can't identify.
On the DNS server configuration front, the survey results show similar or slightly worse server security postures this year than last year. The number of name servers that allowed recursion (50 percent) remained the same; the percentage of servers that allowed zone transfers (replication of data from one server to another) to arbitrary requesters grew from 29 percent in 2006 to 31 percent this year. You can see a summary of other misconfigurations the survey found in an Infoblox press release.
On a more positive note, the Sender Policy Framework (SPF) got a boost, jumping from implementation on 5 percent of servers last year to 12.6 percent in 2007. "A whole lot of people are interested in letting people gauge the authenticity of their email addresses," said Liu.
I've touched on just some of the key survey results that Liu shared with me. You can read a more complete analysis of the DNS server survey results by Liu at http://www.infoblox.com/library/pdf/
2007-survey-executive-summary.pdf. The Measurement Factory's survey description is at http://dns.measurement-factory.com/surveys/200710.html.
If you want to test your own name server's security posture, Infoblox offers the Web-based DNS Advisor, a free tool for checking "the configuration, consistency, and security of your external DNS configuration."
Windows IT Pro articles about building a DNS infrastructure
and troubleshooting DNS:
"DNS Annoyances," February 2007
"Windows Server 2003 DNS," October 2003
"Solving DNS Problems," September 2003
"Troubleshooting DNS-Related AD Logon Problems, Part 2," February 2002
"Troubleshooting DNS-Related AD Logon Problems, Part 1," November 2001