One in four public-facing domain name system (DNS) servers on the internet
are still vulnerable to the
Kaminsky
flaw, according to the fourth annual survey of DNS servers by network
services vendor
Infoblox.
The flaw allows hackers to sabotage DNS servers and send web users to sites
set up to hack into their systems.
Cricket Liu, architecture vice president at Infoblox, explained that the
survey used the same tests as last year, but added a check on whether servers
had patched against the Kaminsky flaw by performing source port randomisation.
"The number of name servers out there has increased slightly from 11.7 to
11.9 million, and firms are using more secure up-to-date versions of the
Berkeley
Internet Name Daemon package," he said.
The survey also found that companies are still not migrating to IP version 6
(IPv6), the replacement for the current IPv4 addressing protocol.
"IPv6 only increased from 0.27 to 0.44 per cent, although I have seen
estimates for the IPv4 address space running out as early as 2011," warned Liu.
Other areas flagged up by the survey was that unsecure Microsoft DNS server
usage dropped from 2.7 to 0.17 per cent, and support for the anti-spam
Sender
Policy Framework for validating email senders increased from 12.6 to 16.7
per cent.
However, Liu was less enthusiastic about the fact that more than 40 per cent
of name servers allow recursive queries, leaving them vulnerable to DNS cache
poisoning and distributed denial-of-service attacks. Other targets are the 30
per cent of DNS servers that allow zone transfers to arbitrary requestors.
The Infoblox 2008 DNS Survey was performed in conjunction with performance
testing and protocol compliance vendor
The
Measurement Factory.
Do you agree?
Have your say on this article