Security around DNS servers is still a serious issue for network administrators, even though new servers such as BIND 9 are more secure, according to a new survey released this week.
According to the survey, DNS (Domain Name System) infrastructure is modernising and coalescing around the most recent versions of BIND -- a type of DNS server software. However, a problem Infoblox, the company that released the survey, noted, was that over 50 percent of DNS servers still allow recursion and zone transfers, "indicating that the global DNS system is as vulnerable as ever". Recursion can leave DNS systems vulnerable to DNS cache poisoning and amplification attacks that can "bring down major networks", said Infoblox.
The survey, conducted over the past three years, found the DNS system is growing overall, which is an indicator of Internet growth in general.
At the same time, the use of BIND 9 DNS server code is increasing more quickly than other varieties of DNS server code. Infoblox considers BIND 9 more secure than older versions of BIND, as it "has a substantially better security track record ", according to Cricket Liu, Infoblox vice president of architecture.
Meanwhile, Microsoft DNS Server, which Infoblox considers a less secure type of DNS server code, has charted a continual rapid decline for three years. "Microsoft DNS Server's [market] share continued its dramatic decline, from about 4.6 percent to 2.7 percent," wrote Liu. "Perhaps this is because administrators have become warier of exposing the Microsoft DNS Server and Windows operating systems directly to the Internet."
Microsoft DNS Server market share fell from 10 percent in 2005, to 4.6 percent in 2006, then to 2.7 percent in 2007, according to the survey. Infoblox said that its decreased use was a positive step.
The survey was based on a sample that included five percent of the IPv4 address space -- nearly 80 million addresses.
I run two MS DNS name servers. They are firewalled to the maximum possible extent and recursive lookups are blocked. I also have the habit of turning off processes that are not required for the duties a box is there to carry out and this makes the box less prone to other types of attack. I've had no issues with security. Many of the name servers that are subject to possible attack are owned and run by people who don't know what they are doing more than what OS they are using.