Security awareness rising? A DNS case study.

2008-01-17T21:14:00.000+01:00

A couple of weeks ago I came across a survey which reveals some very interesting facts about the installed DNS servers around the world.

The survey was performed to almost 90 million IP addresses (out of the 1.8 billion registered ones) in order to see what portion of them are DNS servers and investigate the characteristics of the found DNS server machines (what software is installed on them and how is it configured). 0.67% of the queries sent, received DNS specific replies which leads to the conclusion that there are around 11 million DNS servers on the world. So what do they "wear"? In order to find that, the researchers relied on fpdns, a proof of concept software which can fingerprint over 50 different types of DNS software.

An impressive 70% of them uses the BIND open source server. 65% in total concerns BIND version 9, which is a significant improvement in terms of security comparing to its predecessors. That can definitely be seen as a step forward (taking into consideration the numerous security vulnerabilities that version 8 or earlier had in the past). Moreover, one of the impressive facts is that Microsoft DNS servers (both versions 2000 and 2003) hold only a bit more than 2.5% of the "market". That is indeed significantly low! Even though the software has not shown major security flaws in the past, it is still not trusted by companies and organizations who wish to implement the specific service. Can this be explained by having in mind the long standing bad reputation of Microsoft's products in terms of security?!

Good news up to the point. So, where is the catch?!

For a start, 16 million machines were found to be acting as open resolvers (more than DNS servers in total ?!?!?!?!). The explanation given for this strange number was that some times you may not even get a reply from an existing name server (making it "invisible" and thus not counting in the first figure of the 11 million DNS servers), but it can still forward the DNS request (which means that there is some sort of mechanism/software handling that request)! But why are open resolvers a problem?

According to a presentation by John Kristoff, the security implications of the use of an open resolver can be:

Reflection attacks through spoofing
Small queries can solicit large answers for amplication attack
Cache enumeration and spying enabled
Remote cache poisoning difficulty is reduced
Resolver and network resource theft

Another interesting approach is given in this article:

"... Web sites that you never tried to reach could send a message looking like a response and it would be stored in the cache. This is a security hole that might allow unauthorized DNS servers to send invalid information for the purpose of misdirecting subsequent DNS queries."

OK, open resolvers are bad. But there is more out there. And a good solution to some of the security problems of DNS is DNSSEC. As mentioned in its web site:

"... DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence."

But how many use these features? As it seems only 0.0018% of the DNS Servers!!!! That is more than disappointing. How hard can it be to install and configure it? Well, according to my personal experience not so much. If university students can complete an assignment with that topic in a limited time frame during a course of a Master's program in KTH, then I guess a more experienced Unix admin can do it equally fast (and probably/hopefully better).

Another security issue which is closely related to the DNS protocol is the ever growing problem of spam. SPF is a good (but not sufficient on its own) solution for dealing with the problem. In a few words, that SPF does, is checking the "From" field of an e-mail and if the e-mail comes from a forged DNS record, then it rejects it (through a TXT record format entry in the configuration file of the server). Fast and easy, right? Well, how many DNS servers implement it? Only 16% of them. Things get even worse if we consider those servers which implement the new type of SPF records (an RR record in the configuration file); 0.0022%!!!

Having said all that, we must ask ourselves. Updating the software (BIND 9 over earlier versions) and choosing more secure products (open source software vs proprietary debate), can lead to improvement. But should we rely on that? There are more ways that security can be improved by taking simple (sometimes not even technologically advanced) measures. So, why don't we? Are we security aware enough after all? More than 99% of the DNS servers out there "shout" in despair.

Editorial

2007-11-11T18:25:00.000+01:00

I've been fighting the idea of blogs for many years now (as well as many of the other features of the Web2.0 universe). Well, you can say that I am the type of person that wants to keep things simple. Normal static web pages, no flashy stuff and a console with Vim editing your code is all that you should need to let people know about your electronic existence.

What I realized though is that you cannot be an evangelist of something, if you haven't seen the alternative. Just like you cannot blame Linux if you haven't actually used it, I assume that's how it should be with blogging. "Try it out by yourself and if it doesn't work for you or if it simply sucks (as you think even now), then just drop it and go do something else. But first give it a try", I kept saying to myself for some months now.

So, here I am writing my first post!

My intention is not to create a diary. I hate it when people write about the time they took their dog for a walk and it was then that they saw this cool new advertisement of condoms on the road! I don't intend to put out my everyday thoughts and activities. I don't want to write about religion, politics or women (even though all three topics can be extremely interesting to talk for hours about). At least that's my initial intention. We'll see how that will work.

I will try to focus on geeky stuff. Stuff about computers (these tricky machines of the devil) or technology in general. Stuff that I come upon every once and a while and I would not like to forget (for those of you who don't know me, my memory is something more than just ridiculously lousy). Stuff that intrigue me into searching more about them and at the same time let others know. But mostly, things that concern a certain part of IT that I particularly enjoy working and talking about ... IT Security.

So, let the game begin ...

Thoughts of a g(r)εεk

Security awareness rising? A DNS case study.

Editorial