The survey was performed to almost 90 million IP addresses (out of the 1.8 billion registered ones) in order to see what portion of them are DNS servers and investigate the characteristics of the found DNS server machines (what software is installed on them and how is it configured). 0.67% of the queries sent, received DNS specific replies which leads to the conclusion that there are around 11 million DNS servers on the world. So what do they "wear"? In order to find that, the researchers relied on fpdns, a proof of concept software which can fingerprint over 50 different types of DNS software.
An impressive 70% of them uses the BIND open source server. 65% in total concerns BIND version 9, which is a significant improvement in terms of security comparing to its predecessors. That can definitely be seen as a step forward (taking into consideration the numerous security vulnerabilities that version 8 or earlier had in the past). Moreover, one of the impressive facts is that Microsoft DNS servers (both versions 2000 and 2003) hold only a bit more than 2.5% of the "market". That is indeed significantly low! Even though the software has not shown major security flaws in the past, it is still not trusted by companies and organizations who wish to implement the specific service. Can this be explained by having in mind the long standing bad reputation of Microsoft's products in terms of security?!
Good news up to the point. So, where is the catch?!
For a start, 16 million machines were found to be acting as open resolvers (more than DNS servers in total ?!?!?!?!). The explanation given for this strange number was that some times you may not even get a reply from an existing name server (making it "invisible" and thus not counting in the first figure of the 11 million DNS servers), but it can still forward the DNS request (which means that there is some sort of mechanism/software handling that request)! But why are open resolvers a problem?
According to a presentation by John Kristoff, the security implications of the use of an open resolver can be:
- Reflection attacks through spoofing
- Small queries can solicit large answers for amplication attack
- Cache enumeration and spying enabled
- Remote cache poisoning difficulty is reduced
- Resolver and network resource theft
"... Web sites that you never tried to reach could send a message looking like a response and it would be stored in the cache. This is a security hole that might allow unauthorized DNS servers to send invalid information for the purpose of misdirecting subsequent DNS queries."
OK, open resolvers are bad. But there is more out there. And a good solution to some of the security problems of DNS is DNSSEC. As mentioned in its web site:
"... DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence."But how many use these features? As it seems only 0.0018% of the DNS Servers!!!! That is more than disappointing. How hard can it be to install and configure it? Well, according to my personal experience not so much. If university students can complete an assignment with that topic in a limited time frame during a course of a Master's program in KTH, then I guess a more experienced Unix admin can do it equally fast (and probably/hopefully better).
Another security issue which is closely related to the DNS protocol is the ever growing problem of spam. SPF is a good (but not sufficient on its own) solution for dealing with the problem. In a few words, that SPF does, is checking the "From" field of an e-mail and if the e-mail comes from a forged DNS record, then it rejects it (through a TXT record format entry in the configuration file of the server). Fast and easy, right? Well, how many DNS servers implement it? Only 16% of them. Things get even worse if we consider those servers which implement the new type of SPF records (an RR record in the configuration file); 0.0022%!!!
Having said all that, we must ask ourselves. Updating the software (BIND 9 over earlier versions) and choosing more secure products (open source software vs proprietary debate), can lead to improvement. But should we rely on that? There are more ways that security can be improved by taking simple (sometimes not even technologically advanced) measures. So, why don't we? Are we security aware enough after all? More than 99% of the DNS servers out there "shout" in despair.
0 comments:
Post a Comment