Domain name system (DNS) servers are the address books of the Internet. They translate URLs into IP addresses, allowing clients and servers to communicate across the Internet.
In July, security expert Dan Kaminsky revealed that he had discovered a flaw in the DNS protocol. The DNS flaw allows hackers to impersonate any website and trap unsuspecting users. Hackers can also use the flaw to disrupt corporate operations by making the DNS system misdirect emails and website queries. Exploiting the flaw, hackers conduct a "cache poisoning" attack by flooding DNS servers with queries and tricking the servers into mistranslating a URL into another IP address. Kaminsky worked with DNS software vendors to create a patch for the flaw.
Infoblox, a vendor of DNS management technology, recently completed its fourth annual global survey of DNS servers. In all, the survey found 11.9 million name servers across the world, according to Cricket Liu, vice president of architecture for Infoblox.
Nearly 11% of those DNS servers, about 1.3 million, are "trivially exploitable" by the Kaminsky vulnerability, Liu said. In other words, no one has bothered to patch them. "The scripts and Metasploits that are available out there would compromise a name server like that in as little as 10 seconds," he said. "So it's a pretty lousy result. On the other hand, maybe we should be pleased that [the rest] of the servers were patched over the last three months."
The first line of defense against the Kaminsky vulnerability is to reconfigure DNS servers to accept only non-recursive queries rather than recursive ones, Liu said. Recursive DNS servers will accept queries about any domain name from just about any source. Most DNS attacks rely on recursive queries to attack name servers. When servers are reconfigured for only non-recursive queries, the servers will respond only to queries about the domain name for which it is the authority.
Liu said that 44% of DNS servers are still configured for recursive queries, a slight improvement from 52% in 2007.
"Those open recursive name servers are at greater risk for cache poisoning," he said. "They're also easy to use in distributed denial-of-service attacks against people on the Internet."
The second line of defense against the Kaminsky vulnerability is the patch that configures DNS servers for query port randomization. Liu said this configuration instructs a server to send each query to a different random port, making it difficult for a hacker to spoof the server.
"The [hacker] would have to guess which port [the query] came from, and you would have to randomly try sending query responses to a lot of different source ports," Liu said.
The ultimate protection against Kaminsky and other vulnerabilities is to upgrade DNS servers to DNSSEC (DNS Security Extensions), a set of modifications to the DNS protocol that, when uploaded to the DNS server, improves security on DNS servers, Liu said. Unfortunately, DNS management is an afterthought in most organizations. DNSSEC adoption is still minuscule.
DNSstuff.com, a provider of online DNS management tools, recently conducted its own survey of about 450 of its users, according to Paul Parisi, DNSstuff CTO. Parisi said that 9.6% of his customers said they hadn't patched their servers for Kaminsky, and another 21.9% didn't know whether the servers were patched or not.
"That is pretty staggering, given our community," Parisi said. "These are the people who use our tools to manage DNS."
The cache poisoning that can result from the Kaminsky exploit is nevertheless a top concern, he said. The DNSstuff survey found that 44.1% of customers identified accuracy and relevance of DNS data as their biggest management challenge.
"There is a heightened awareness of it, but the survey shows that some people need some help managing it," Parisi said. "They need some best practices, and because DNS is something you touch infrequently, a lot of issues can come up with DNS just because of simple mistakes. There is a hunger out there for proper DNS reporting and management."