In this Issue:
  • Perspective: DNS Servers Need Attention Too
  • Coming this Month
  • November 2007 Articles in Print-Friendly Format
  • Share Your Security Tips and Get $100
  • The Security Pro VIP Forum

 

Perspective: DNS Servers Need Attention Too

Are your external DNS servers running the latest software, and are they configured correctly? Infoblox and The Measurement Factory asked these questions of DNS servers on the Internet and found good news and bad news. Some good news is that 65 percent of the name servers were running BIND 9, the most recent and most secure version of the Internet Systems Consortium's (ISC's) DNS implementation. This is an increase of 4 percent from last year. Some bad news is that about 50 percent of the name servers allowed recursive queries from any IP address, which leaves the servers open to pharming and to serving as amplifiers in a Distributed Denial of Service (DDoS) attack against another server.

Cricket Liu, VP of architecture at Infoblox and author of several books about DNS, BIND, and Microsoft's DNS server, described the survey method and results. Infoblox, which makes solutions that provide core network services such as DNS, DHCP, and IP address management, and The Measurement Factory, which provides products and services related to Internet testing and measurement, sent queries to 5 percent of the Internet address space (80 million addresses). The queries first determined how many of the addresses were held by DNS servers. In this third annual survey, the results showed 11.5 million name servers, up from 9 million in 2006 and 7.5 million in 2005. Liu called this a "healthy increase" that "shows how important name servers are."

The survey also has a fingerprinting component that can determine a DNS server's software by looking at how the server responds to queries. In addition to the good news that BIND 9 implementations have increased slightly (to 65 percent), the survey found that instances of the less-secure BIND 8 software had decreased from 14 percent last year to 5.6 percent this year. Liu termed this a "precipitous falloff." Microsoft DNS server implementations declined from 5 percent last year to 2.7 percent this year. Liu considers Microsoft DNS to be difficult to secure for Internet use, so he was pleased that use of this software and the BIND 8 software had decreased so significantly. It's not clear from the survey results what all the servers that quit using Microsoft DNS and BIND 8 are doing. Some probably account for the increase in BIND 9 implementations and some probably switched to using other software that the fingerprinting component can't identify.

On the DNS server configuration front, the survey results show similar or slightly worse server security postures this year than last year. The number of name servers that allowed recursion (50 percent) remained the same; the percentage of servers that allowed zone transfers (replication of data from one server to another) to arbitrary requesters grew from 29 percent in 2006 to 31 percent this year. You can see a summary of other misconfigurations the survey found in an Infoblox press release.

On a more positive note, the Sender Policy Framework (SPF) got a boost, jumping from implementation on 5 percent of servers last year to 12.6 percent in 2007. "A whole lot of people are interested in letting people gauge the authenticity of their email addresses," said Liu.

I've touched on just some of the key survey results that Liu shared with me. You can read a more complete analysis of the DNS server survey results by Liu at http://www.infoblox.com/library/pdf/
2007-survey-executive-summary.pdf
. The Measurement Factory's survey description is at http://dns.measurement-factory.com/surveys/200710.html.

If you want to test your own name server's security posture, Infoblox offers the Web-based DNS Advisor, a free tool for checking "the configuration, consistency, and security of your external DNS configuration."

Windows IT Pro articles about building a DNS infrastructure
and troubleshooting DNS:

"DNS Annoyances," February 2007

"Windows Server 2003 DNS," October 2003

"Solving DNS Problems," September 2003

"Troubleshooting DNS-Related AD Logon Problems, Part 2," February 2002

"Troubleshooting DNS-Related AD Logon Problems, Part 1," November 2001

Renee Munshi, Security Pro VIP Editor

 

Coming this Month

"Protect User Privacy in Internet Explorer 7.0" by Jan De Clercq
Microsoft embedded P3P support and cookie filtering in IE 7.0 to help users protect their personal data from possible misuse. Use these features wisely to make your users' online experience safer.
This article is now live on the Web.

"Advanced Group Policy Management Extends Group Policy Management Console" by Russell Smith
GPMC can't manage, control, and track the changes made by multiple administrators. But AGPM, part of the Microsoft Desktop Optimization Pack for Software Assurance, lets you check GPOs in and out for editing and compare two versions of a GPO.
Coming December 13.

Toolbox: "Flying Buttress" by Jeff Fellinge
If you use a Mac or are responsible for the security of Macs within your organization, you need to check out Flying Buttress—a tool that allows granular configuration of Apple’s built-in firewall, ipfirewall.
Coming December 20.

Access Denied
Randy Franklin Smith answers your Windows security questions.
Coming December 27.

 

November 2007 Articles in Print-Friendly Format

If you're someone who prefers your newsletters in printed form, check out this .pdf file. It contains all the security articles posted on the Security Pro VIP Web site in November. Print and enjoy!

 

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@securityprovip.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

 

The Security Pro VIP Forum

The Security Pro VIP forum is your place to ask questions about security topics and about articles posted on the Security Pro VIP Web site and to get answers from other forum members, including Orin Thomas, forum moderator, and article authors. Let's talk!