November 21, 2007; 05:21 AM
SANTA CLARA, Calif. -- Infoblox Inc., a
developer of appliances that deliver “utility-grade” core network
services, and The Measurement Factory, experts in performance testing
and protocol compliance, announced on Monday results from the third-annual
survey of domain name servers on the public Internet.
DNS servers are essential network infrastructure that map domain names
(e.g., yahoo.com) to IP addresses (e.g., 126.96.36.199), directing
Internet inquiries to the appropriate location. Domain name resolution
conducted by these servers is required to perform any Internet-related
request. Should an enterprise or organization’s DNS systems fail, all
Internet functions, including email, web access, e-commerce, and
extranets become unavailable.
Overall, results indicate that the number of DNS systems is increasing,
which is a good indicator of Internet growth in terms of
infrastructure, users, traffic and applications. Also on a positive
note, results indicate that the DNS infrastructure is modernizing and
coalescing around the most recent versions of BIND. Further, there is a
real indication of interest in fighting spam. However, many DNS servers
still allow recursion and zone transfers, indicating that the global
DNS system is as vulnerable as ever.
“For the overall security of the Internet, it is good to see movement
away from Microsoft DNS Servers for external DNS as well as a growing
trend to use the most recent versions of BIND, which are more secure,”
Cricket Liu, vice president of architecture at Infoblox and author of
O’Reilly & Associates’ DNS and BIND, DNS & BIND Cookbook, and
DNS On Windows Server 2003, commented. “However, even with growing
adoption of more secure name servers, compromises of these systems are
still occurring and organizations need to pay more attention to
configurations and deployment architectures that are leaving their DNS
infrastructures vulnerable to attacks and outages. Instead of waiting
until they are attacked, all organizations should assess their DNS
infrastructure and immediately take the necessary steps to make them
more reliable and secure.”
Following are the key 2007 DNS survey results, which are based on a
sample that included 5 percent of the IPv4 address space, nearly 80
The Good News
Overall growth and modernization of DNS systems improves security and
availability. Further, there is a real indication of interest in
• The Internet-facing DNS server count increased to 11.5 million (up
from ~9 million in 2006 and 7.5 million in 2005) – The domain name
system is growing, a good indicator of the overall growth of the
Internet, users, traffic and applications.
• BIND 9 usage grew to 65% in 2007 (up from 61% in 2006 and 58% in
2005) – The growing use of the most recent and secure version of
open-source domain name server software indicates that organizations
are paying attention to the version of BIND they are running and that
they are increasingly aware of related security issues.
• BIND 8 usage decreased to 5.6% in 2007 (down from 14% in 2006 and 20%
in 2005) – The decreased usage of BIND 8 – an older version recently
“end-of-lifed” by ISC – by almost two-thirds year-over-year, indicates
that many organizations are making the effort to deploy the most
reliable and secure DNS implementations and are making the global DNS
infrastructure more secure.
• Usage of the Microsoft DNS Server cut in half (a decrease to 2.7%
from 5% in 2006 and 10% in 2005) – The significant reduction in usage
of the Microsoft DNS Server by nearly one-half reflects concerns over
risks associated with deploying Microsoft Windows servers that are
exposed to the public Internet.
• Support for SPF increased to 12.6% in 2007 (up from 5% of the zones
sampled in 2006) – This increase in usage of SPF (the Sender Policy
Framework) increases the effectiveness of the technology, and indicates
that organizations are taking email fraud seriously.
The Bad News
Continued deployment and configuration mistakes are leaving the global DNS system as vulnerable as ever.
• Still more than 50% of Internet name servers allow recursive queries
(consistent with 2006) – This form of name resolution often requires a
name server to relay requests to other name servers, which can leave
name servers vulnerable to pharming attacks and allow those servers to
be used in DNS amplification attacks that can take down important
• DNS servers surveyed allowing zone transfers to arbitrary requestors
grew to 31% in 2007 (up from 29% in 2006) – Allowing zone transfers to
arbitrary queriers enables duplication of an entire segment of an
organization’s DNS data from one DNS server to another and can leave
them as easy targets for denial-of-service attacks.
• Still ~75% of zones surveyed have low expire values and almost 78%
still use negative-caching TTL settings outside the suggested range of
one to three hours – These figures, consistent with 2006, indicate that
many DNS servers are not configured correctly, which can significantly
increases the risk of service outages to an organization.
• Only .002% of zones tested support DNSSEC – Limited adoption of
DNSSEC, the IETF standard that adds cryptographic authentication and
integrity checking to DNS, indicates that administrators are not
convinced of its importance, are perhaps intimidated by its complexity,
and that the standard seems unlikely to succeed on its own merits as a
means to improve DNS security.
To view the complete 2007 DNS survey results and to access several best
practices guides and tools, like the Infoblox DNS Advisor, which helps
assess the vulnerability of an organization’s DNS infrastructure,
Infoblox appliances deliver utility-grade core network services,
including domain name resolution (DNS), IP address assignment and
management (IPAM/DHCP), authentication (RADIUS) and related services.
Infoblox solutions, which provide the essential “glue” between networks
and applications, are used by over 1,900 organizations worldwide,
including over 100 of the Fortune 500. The company is headquartered in
Santa Clara, Calif., and operates in more than 30 countries. For more
information, call +1.408.625.4200, email [email protected], or visit www.infoblox.com.
About The Measurement Factory
The Measurement Factory provides a variety products and services
related to Internet testing and measurement, with a current focus on
DNS, HTTP, and ICAP. Most of the Factory’s products are available under
open-source licenses. For more information, call +1-303-938-6863, email
[email protected], or visit www.measurement-factory.com.