NEW CGI Directory

Home Press Releases Second Annual DNS Survey Revea ...

Press Releases by

Second Annual DNS Survey Reveals Growth and Improvements, But Many Systems Still Vulnerable to Attacks

Infoblox Introduces Cricket Liu’s DNS Advisor: Free Online Tool Enables Organizations to Assess Their DNS Systems and Provides Recommendations for Addressing Weaknesses.

October 10, 2006; 12:55 AM

SANTA CLARA, Calif. — Infoblox Inc., a developer of essential infrastructure for identity-driven networks (IDNs), and The Measurement Factory, experts in performance testing and protocol compliance, today announced availability of the “2006 DNS Report Card”, featuring results of their second-annual survey of domain name servers (DNS) on the public Internet.

In related news, Infoblox also announced today availability of Cricket Liu’s DNS Advisor, a free online tool that assesses an organization’s external DNS systems and provides a report that includes helpful advice for improvement.

DNS servers are essential network infrastructure that map domain names (e.g., to IP addresses (e.g.,, directing Internet inquiries to the appropriate location. Domain name resolution conducted by these servers is required to perform any Internet-related request. Should an enterprise or organization’s DNS systems fail, all Internet functions, including email, web access, e-commerce, and extranets become unavailable.

The DNS survey provides an estimate of the total number of DNS servers deployed and also examines the configuration of servers that are scanned. It was based on a sample that included 5 percent of the IPv4 address space – nearly 80 million devices. The results were categorized in 3 areas, covering DNS infrastructure, security, and adoption of new applications. By comparing results from the 2006 survey with those compiled in the 2005 survey, a picture of key trends emerges. Highlights of the results include the following:

DNS Infrastructure Earns a “B” Grade

  • Total number of external DNS servers grew 20 percent, from 7.5 million in 2005 to 9 million in 2006. Most of the growth appeared to come from developing economies, and many of the new servers are embedded in access devices, such as cable modems and DSL routers.
  • Use of BIND 9 – the most recent and secure version of open-source domain name server software – grew from 58 percent of the total in 2005 to 61 percent in 2006, implying that organizations are paying attention to the version of BIND they are running and that they are increasingly aware of related security issues.
  • Use of BIND 8 – an older version of DNS software – decreased by 30 percent from 20 percent (2005) to 14 percent (2006), indicating that many organizations are making the effort to deploy the most reliable and secure DNS implementations.
  • Use of the Microsoft DNS Server decreased by 50 percent from 10 percent to 5 percent of the total in 2006, perhaps reflecting concerns over risks associated with deploying Microsoft Windows servers that are exposed to the public Internet.
DNS Security Barely Passes with a “D+” Grade
· More than 50 percent of Internet name servers allow recursive name services – a form of name resolution that often requires a name server to relay requests to other name servers – leaving many networks vulnerable to pharming attacks and enabling their servers to be used in DNS amplification attacks that can take down important DNS infrastructure.
· Over 29 percent of DNS servers surveyed allow zone transfers to arbitrary queriers, enabling duplication of an entire segment of an organization’s DNS data from one DNS server to another and leaving them easy targets for denial of service attacks.

Security researcher Dan Kaminsky, who has spent several years investigating security and reliability issues in the Internet's Domain Name System, commented: “People tend to take DNS for granted, but if it goes down, so does your network. As Infoblox’s data shows, there are indeed organizations that should take urgent action to bolster their DNS infrastructure.”

Cricket Liu, vice president of architecture at Infoblox and author of O’Reilly & Associates’ DNS and BIND, DNS & BIND Cookbook, and DNS On Windows Server 2003, commented, “While there have been improvements, organizations still need to be cognizant that without proper configuration and management, their DNS infrastructures are likely to be vulnerable to attack and brittle in the face of common outages. All organizations should assess their DNS systems and immediately take the necessary steps to make them reliable and secure.”

Cricket Liu’s DNS Advisor Helps Organizations Identify Specific Vulnerabilities
Now available on the Infoblox website is the Cricket Liu DNS Advisor tool, designed to identify DNS infrastructure vulnerabilities and configuration deficiencies. The tool tests for a variety of DNS-related variables, including the following:
· Single points of failure, which can compromise network availability;
· Mis-configured or poorly operating name servers that can compromise network availability and pose a security risk;
· Unsecured zone transfers that can expose name servers to denial of service attacks;
· IP address/name inconsistency which can result in network management confusion;
· Outdated BIND versions that leave networks vulnerable to a variety of known attacks; and
· Unsecured recursive queries that leave name servers vulnerable to DNS cache poisoning and denial of service attacks.
According to Liu, there are several simple steps and deployment best practices that enterprises can take to address DNS vulnerabilities and configuration issues, such as those tested above:
  1. On external authoritative name servers, disable recursion. On forwarders, allow only queries from your internal address space.
  2. If you can’t split your authoritative name servers and forwarders, restrict recursion as much as possible. Only allow recursive queries if they come from your internal address space.
  3. Use hardened, secure appliances that enable easy upgrades instead of systems based on general-purpose servers and operating software applications.
  4. Make sure you run the latest version of your domain name server software.
  5. Filter traffic to and from your external name servers. Using either firewall- or router-based filters, ensure that only authorized traffic is allowed between your name servers and the Internet.

To view the complete 2006 DNS Report Card, access the Infoblox DNS Advisor Tool and find more DNS Best Practices to address vulnerabilities, visit:

Jennifer Jasper, Snr. Manager Corp. Comm.
408.205.8383, [email protected]

Related Press Releases and Features
Other Press Releases by This Company
DNS Survey Reveals Many Systems Still Vulnerable to Attacks Despite Some Marked Improvements - November 21, 2007
Infoblox Unveils New IP Address Management Solution for Microsoft Environments - October 16, 2007
BIND 8 End-of-Life Prompts Migration to New, More Advanced DNS Systems - September 11, 2007



Related Resources

Other Resources