The Measurement Factory has conducted two surveys of Internet-connected domain name servers (DNS) on behalf of Infoblox. The surveys consisted of several queries directed at each of a large set of external DNS servers to estimate the number of systems deployed today and determine specific configuration details.
The survey results revealed that many organizations often disregard these critical systems, which perform the functions necessary to make their presence available and accessible on the Internet. The Internet Systems Consortium's BIND software, which performs the domain name resolution function, is often out of date, opening the door to malicious attacks. And, the systems are sometimes mis-configured, potentially compromising network availability.
Following is a summary of the significant survey results:
* There are an estimated 7.5 million external DNS servers on the public Internet * Over 75% domain name servers (of roughly 1.3 million sampled) allow recursive name service to arbitrary queriers. This opens a name server to both cache poisoning and denial of service attacks. * Over 40% allow zone transfers from arbitrary queriers. This exposes a name server to denial of service attacks and gives attackers information about internal networks. * In almost 33% of the cases, all authoritative name servers for a zone were on the /24 same subnetwork. This leaves network open to accidental and deliberate denial of service attacks. * Only 60% of the name server records delegating each zone matched the intrazone name server records . Mis-matched records may decrease the number of servers available for resolution, reduce redundancy, increase load, and leave a zone susceptible to denial of service attacks. * 57% run the most recent, secure versions of BIND (9.x): ---[Note]--- Chart excluded due to archive format, but results were: BIND 9.3, 9.2, 9.1 57% BIND 8.3, 8.2, 8.1 20% Windows 2000 6.5% Windows 2003 3.5% Other 13%