[ISN] Most DNS servers 'wide open' to attack

InfoSec News isn at c4i.org
Tue Oct 25 02:20:41 EDT 2005 

http://www.theregister.co.uk/2005/10/24/dns_security_survey/

By John Leyden
24th October 2005 

Four in five authoritative domain name system (DNS) servers across the
world are vulnerable to types of hacking attacks that might be used by
hackers to misdirect surfers to potentially fraudulent domains. A
survey [1] by net performance firm the Measurement Factory
commissioned by net infrastructure outfit Infoblox of 1.3m internet
name servers found that 84 per cent might be vulnerable to pharming
attacks. Others exhibit separate security and deployment-related
vulnerabilities.

Pharming attacks use DNS poisoning or domain hijacks to redirect users 
to dodgy urls. For example widespread attacks launched in April 
attempt to fool consumers into visiting potentially malicious web 
sites by changing the records used to convert domain names to IP 
addresses. These particular pharming attacks exploited name servers 
that allow recursive queries from any IP address. Recurssive queries 
are a form of name resolution that may require a name server to relay 
requests to other name servers.

Providing recursive queries to arbitrary IP addresses on the internet 
exposes a name server to both cache poisoning and denial of service 
attacks. Such requests should be restricted to trusted sources. But 
the study found that up to 84 per cent of the name servers 
investigated relayed requests from world + dog, violating best 
practices and opening the door to possible hacking attack.

The survey also revealed that more than 40 per cent of the name 
servers investigated provide zone transfers to arbitrary queries. Like 
recursive name services, zone transfers, which copy an entire segment 
of an organization's DNS data from one DNS server to another, should 
only be allowed for a designated list of trusted, authorised hosts. 
Network configuration errors in setting up redundant servers for extra 
availability were also uncovering during the study, which involved 
using a series of carefully designed queries in order to gauge the 
relative vulnerability of each name server to attacks or failures.

Cricket Liu, vice president of architecture at Infoblox and author of 
O'Reilly & Associates' DNS and BIND, DNS & BIND Cookbook, and DNS On 
Windows Server 2003, said "Given what enterprises are risking - the 
availability of all of their network services - these results are 
frightening, especially since there are easy ways to address these 
issues."

Infoblox has come up with a list of 'top tips' designed to help 
enterprises to guard against DNS vulnerabilities:

1. If possible, split external name servers into authoritative name 
   servers and forwarders. 

2. On external authoritative name servers, disable recursion. On 
   forwarders, allow only queries from your internal address space. 

3. If you can't split your authoritative name servers and forwarders, 
   restrict recursion as much as possible. Only allow recursive 
   queries if they come from your internal address space. 

4. Use hardened, secure appliances instead of systems based on 
   general-purpose servers and operating software applications (such 
   as InfoBlox's appliance for DNS, we guess the firm is saying here, 
   well it had to get a product pitch in there somewhere). 

5. Make sure you run the latest version of your domain name server 
   software. 

6. Filter traffic to and from your external name servers. Using either 
   firewall or router-based filters, ensure that only authorized 
   traffic is allowed between your name servers and the Internet. 

®

[1] http://dns.measurement-factory.com/surveys/sum1.html

More information about the ISN mailing list