NEW CGI Directory

Home Press Releases DNS Survey Reveals Many System ...

Press Releases by

DNS Survey Reveals Many Systems Still Vulnerable to Attacks Despite Some Marked Improvements

November 21, 2007; 05:21 AM
SANTA CLARA, Calif. -- Infoblox Inc., a developer of appliances that deliver “utility-grade” core network services, and The Measurement Factory, experts in performance testing and protocol compliance, announced on Monday results from the third-annual survey of domain name servers on the public Internet.

DNS servers are essential network infrastructure that map domain names (e.g., to IP addresses (e.g.,, directing Internet inquiries to the appropriate location. Domain name resolution conducted by these servers is required to perform any Internet-related request. Should an enterprise or organization’s DNS systems fail, all Internet functions, including email, web access, e-commerce, and extranets become unavailable.

Overall, results indicate that the number of DNS systems is increasing, which is a good indicator of Internet growth in terms of infrastructure, users, traffic and applications. Also on a positive note, results indicate that the DNS infrastructure is modernizing and coalescing around the most recent versions of BIND. Further, there is a real indication of interest in fighting spam. However, many DNS servers still allow recursion and zone transfers, indicating that the global DNS system is as vulnerable as ever.

“For the overall security of the Internet, it is good to see movement away from Microsoft DNS Servers for external DNS as well as a growing trend to use the most recent versions of BIND, which are more secure,” Cricket Liu, vice president of architecture at Infoblox and author of O’Reilly & Associates’ DNS and BIND, DNS & BIND Cookbook, and DNS On Windows Server 2003, commented. “However, even with growing adoption of more secure name servers, compromises of these systems are still occurring and organizations need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages. Instead of waiting until they are attacked, all organizations should assess their DNS infrastructure and immediately take the necessary steps to make them more reliable and secure.”

Following are the key 2007 DNS survey results, which are based on a sample that included 5 percent of the IPv4 address space, nearly 80 million addresses.

The Good News
Overall growth and modernization of DNS systems improves security and availability. Further, there is a real indication of interest in fighting spam.

• The Internet-facing DNS server count increased to 11.5 million (up from ~9 million in 2006 and 7.5 million in 2005) – The domain name system is growing, a good indicator of the overall growth of the Internet, users, traffic and applications.

• BIND 9 usage grew to 65% in 2007 (up from 61% in 2006 and 58% in 2005) – The growing use of the most recent and secure version of open-source domain name server software indicates that organizations are paying attention to the version of BIND they are running and that they are increasingly aware of related security issues.

• BIND 8 usage decreased to 5.6% in 2007 (down from 14% in 2006 and 20% in 2005) – The decreased usage of BIND 8 – an older version recently “end-of-lifed” by ISC – by almost two-thirds year-over-year, indicates that many organizations are making the effort to deploy the most reliable and secure DNS implementations and are making the global DNS infrastructure more secure.

• Usage of the Microsoft DNS Server cut in half (a decrease to 2.7% from 5% in 2006 and 10% in 2005) – The significant reduction in usage of the Microsoft DNS Server by nearly one-half reflects concerns over risks associated with deploying Microsoft Windows servers that are exposed to the public Internet.

• Support for SPF increased to 12.6% in 2007 (up from 5% of the zones sampled in 2006) – This increase in usage of SPF (the Sender Policy Framework) increases the effectiveness of the technology, and indicates that organizations are taking email fraud seriously.

The Bad News
Continued deployment and configuration mistakes are leaving the global DNS system as vulnerable as ever.

• Still more than 50% of Internet name servers allow recursive queries (consistent with 2006) – This form of name resolution often requires a name server to relay requests to other name servers, which can leave name servers vulnerable to pharming attacks and allow those servers to be used in DNS amplification attacks that can take down important Internet infrastructure.

• DNS servers surveyed allowing zone transfers to arbitrary requestors grew to 31% in 2007 (up from 29% in 2006) – Allowing zone transfers to arbitrary queriers enables duplication of an entire segment of an organization’s DNS data from one DNS server to another and can leave them as easy targets for denial-of-service attacks.

• Still ~75% of zones surveyed have low expire values and almost 78% still use negative-caching TTL settings outside the suggested range of one to three hours – These figures, consistent with 2006, indicate that many DNS servers are not configured correctly, which can significantly increases the risk of service outages to an organization.

• Only .002% of zones tested support DNSSEC – Limited adoption of DNSSEC, the IETF standard that adds cryptographic authentication and integrity checking to DNS, indicates that administrators are not convinced of its importance, are perhaps intimidated by its complexity, and that the standard seems unlikely to succeed on its own merits as a means to improve DNS security.

To view the complete 2007 DNS survey results and to access several best practices guides and tools, like the Infoblox DNS Advisor, which helps assess the vulnerability of an organization’s DNS infrastructure, visit:

About Infoblox
Infoblox appliances deliver utility-grade core network services, including domain name resolution (DNS), IP address assignment and management (IPAM/DHCP), authentication (RADIUS) and related services. Infoblox solutions, which provide the essential “glue” between networks and applications, are used by over 1,900 organizations worldwide, including over 100 of the Fortune 500. The company is headquartered in Santa Clara, Calif., and operates in more than 30 countries. For more information, call +1.408.625.4200, email [email protected], or visit

About The Measurement Factory
The Measurement Factory provides a variety products and services related to Internet testing and measurement, with a current focus on DNS, HTTP, and ICAP. Most of the Factory’s products are available under open-source licenses. For more information, call +1-303-938-6863, email [email protected], or visit

Related Press Releases and Features
Other Press Releases by This Company
Infoblox Unveils New IP Address Management Solution for Microsoft Environments - October 16, 2007
BIND 8 End-of-Life Prompts Migration to New, More Advanced DNS Systems - September 11, 2007
Infoblox Acquires Ipanto, IP Address Management Innovator - August 28, 2007



Related Resources

Other Resources