Four-fifth of DNS servers open to DoS and Pharming attacks

Over 80 percent of public DNS servers around the world are open to pharming and DoS attacks, according to a new study.

The research by internet testing company The Measurement Factory, on behalf of network company Infoblox, found that 84 percent of authoritative DNS servers connected to the internet allowed recursive name services to arbitrary queries.

Best practices in the industry dictate that recursive name services - a form of name resolution that requires a name server to relay requests to other name servers - should only be enabled on a DNS server for a restricted list of known, trusted requesters. Providing recursion to arbitrary IP addresses on the internet exposes a name server to both cache poisoning and denial of service attacks.

Cache poisoning or "pharming" allows a hacker to redirect traffic away from a real website to a fake one set up by the hacker. From there the hacker then steals a user's account information.

"Given what enterprises are risking - the availability of all of their network services - these results are frightening, especially since there are easy ways to address these issues." said Cricket Liu, vice president of architecture at Infoblox.

The survey of 1.3 million DNS servers worldwide also found that over 40 percent of DNS servers provided zone transfers to arbitrary queries. Like recursive name services, zone transfers, which copy an entire segment of an organization's DNS data from one DNS server to another, should only be allowed for a designated list of trusted, authorized hosts, such as secondary name servers. Offering zone transfers to any requester exposes a name server to denial of service attacks.

According to Liu, there are several simple steps and deployment best practices that enterprises can take to protect against these vulnerabilities and others:

  • If possible, split external name servers into authoritative name servers and forwarders.
  • On external authoritative name servers, disable recursion. On forwarders, allow only queries from your internal address space.
  • If you can't split your authoritative name servers and forwarders, restrict recursion as much as possible. Only allow recursive queries if they come from your internal address space.
  • Make sure you run the latest version of your domain name server software.
  • Filter traffic to and from your external name servers. Using either firewall- or router-based filters, ensure that only authorized traffic is allowed between your name servers and the internet.

  • Get daily email updates

    SC Media's daily must-read of the most current and pressing daily news

    By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.