Fifth Annual DNS Survey Reveals Significant Internet Risk
(Market Wire Via Acquire Media NewsEdge) SANTA CLARA, CA, -- (MARKET WIRE) -- 11/16/09 --
Infoblox Inc., a developer of
appliance-based platforms that deliver DNS, DHCP and IPAM services, among
others, and The Measurement Factory, experts in performance testing and
protocol compliance, today announced results from the fifth-annual survey
of domain name servers (DNS) on the public Internet.
Results indicate that use of Microsoft DNS Servers for external DNS is
almost negligible, suggesting that many organizations understand the
security risks of this approach and have migrated to a more secure option.
However, while one potential threat has been addressed in recent years,
another has reached an alarming high. There has been a dramatic increase
in the percentage of external name servers that allow open access to
recursion. These servers represent a significant risk to the Internet
because they can be used maliciously to execute distributed denial of
service (DDoS) attacks.
"This year's survey is a Pandora's box of both frightening and hopeful
results," commented Cricket Liu, Vice President of Architecture at Infoblox
and author of O'Reilly & Associates' DNS and BIND, DNS & BIND Cookbook, and
others. "Of particular interest is the enormous growth in the number of
Internet-connected name servers, largely attributable to the introduction
by carriers of customer premises equipment (CPE) with embedded DNS
functionality. This equipment represents a significant risk to the rest of
the Internet, as without proper access controls, it facilitates enormous
DNS servers are essential network infrastructure that map domain names
(e.g., yahoo.com) to IP addresses (e.g., 126.96.36.199), directing Internet
inquiries to the appropriate location. Domain name resolution conducted by
these servers is required to perform any Internet-related request, whether
for Web browsing, email, ecommerce, or cloud computing. Should an
enterprise or organization's DNS systems become compromised by attacks, the
results can be devastating, ranging from loss of a company's Web presence,
inability of employees to access any outside Web services, and perhaps most
damaging, redirection of Web and email traffic to bogus sites, resulting in
data loss, identity theft, ecommerce fraud and more.
Following are the key 2009 DNS survey results -- along with positive,
negative, or neutral "consequence" ratings -- based on a sample that
included 5 percent of the IPv4 address space, nearly 80 million addresses.
-- NEUTRAL: There are an estimated 16.3 million name servers on the
Internet; this represents a 40% increase in 2 years likely due to an
explosion in the population of "non-traditional", proxy DNS servers
embedded in broadband access devices or customer premises equipment (CPE).
-- VERY DISTURBING: 79.6% of the name servers are open to recursion;
this represents a 27% increase in the last 2 years, likely related to the
increase in proxy DNS servers in CPE. Unfortunately, all these name
servers can be used maliciously to execute DDoS attacks, posing a
significant threat to the Internet.
-- POSITIVE: Percentage of Microsoft DNS Servers is now almost
negligible at .37%; this is likely due to greater awareness of the risks of
exposing Windows computers to the Internet.
-- POSITIVE: Percentage of zones with one or more name servers open to
zone transfers decreased to 16% from 31% (in 2008); administrators are
paying closer attention to configuration of external DNS servers, realizing
that they need to configure ACLs to prevent zone transfers, which can leave
them open to DOS attacks.
-- POSITIVE: The number of DNSSEC signed zones increased significantly -
by approximately 300%; this indicates that momentum in DNSSEC adoption is
increasing. This could be the result of greater awareness and adoption due
to the Kaminsky vulnerability last year and support for DNSSEC signed in
parent zones (.org).
Liu added, "I am pleased to see the adoption of DNSSEC accelerating and
I hope to see this number increase substantially in the next year as
more top-level zones are signed and as simplified solutions, such as
appliance platforms, help automate management of signed zones."
Call to Action
Based on these statistics, there are some clear calls to action for
organizations with external DNS servers. All organizations should assess
their DNS infrastructure and immediately take the necessary steps to make
them more reliable and secure. Infoblox provides a number of free,
automated tools that enable organizations to test their DNS infrastructure
and identify weaknesses and vulnerabilities. These tools and many other
resources, as well as the complete DNS Survey results are available on the
Infoblox.com Web site at:
For more information about Infoblox solutions, visit:
For expert commentary on DNS, DHCP and IPAM related topics, visit:
http://www.cricketondns.com/ and http://www.infra20.com/.
Infoblox delivers highly reliable and manageable platforms for core network
services like domain name resolution (DNS), IP address
assignment (DHCP), IP address management (IPAM) and more. Infoblox
solutions -- essential for the move from static networks to dynamic
infrastructure and applications -- are used by over 3,200 organizations
worldwide, including over 130 of the Fortune 500. The company is
headquartered in Santa Clara, Calif., and operates in more than 30
About The Measurement Factory
The Measurement Factory provides a variety of products and services related
to Internet testing and measurement, with a current focus on DNS, HTTP, and
ICAP. Most of the Factory's products are available under open-source
licenses. For more information, call +1-303-938-6863, email
email@example.com, or visit www.measurement-factory.com.
[ Back To TMCnet.com's Homepage ]