One in four public DNS servers insecure

The Kaminsky flaw allows hackers to sabotage DNS servers

One in four public-facing domain name system (DNS) servers on the internet are still vulnerable to the Kaminsky flaw, according to the fourth annual survey of DNS servers by network services vendor Infoblox.

The flaw allows hackers to sabotage DNS servers and send web users to sites set up to hack into their systems.

Cricket Liu, architecture vice president at Infoblox, explained that the survey used the same tests as last year, but added a check on whether servers had patched against the Kaminsky flaw by performing source port randomisation.

"The number of name servers out there has increased slightly from 11.7 to 11.9 million, and firms are using more secure up-to-date versions of the Berkeley Internet Name Daemon package," he said.

The survey also found that companies are still not migrating to IP version 6 (IPv6), the replacement for the current IPv4 addressing protocol.

"IPv6 only increased from 0.27 to 0.44 per cent, although I have seen estimates for the IPv4 address space running out as early as 2011," warned Liu.

Other areas flagged up by the survey was that unsecure Microsoft DNS server usage dropped from 2.7 to 0.17 per cent, and support for the anti-spam Sender Policy Framework for validating email senders increased from 12.6 to 16.7 per cent.

However, Liu was less enthusiastic about the fact that more than 40 per cent of name servers allow recursive queries, leaving them vulnerable to DNS cache poisoning and distributed denial-of-service attacks. Other targets are the 30 per cent of DNS servers that allow zone transfers to arbitrary requestors.

The Infoblox 2008 DNS Survey was performed in conjunction with performance testing and protocol compliance vendor The Measurement Factory.