DNS risks lurk in corporate networks

One out of every four of the top 1,000 companies in the U.S. has a security flaw in its network infrastructure that could cut off all of its global e-mail and Web-based traffic, according to a survey to be published this month.

While the flaws are not yet concern for widespread panic, they are laying dormant in many organizations and network executives should correct them as insurance against a major catastrophe, warn experts at organizations such as the National Infrastructure Protection Center, an affiliate of the U.S. Federal Bureau of Investigation.

The problems are rooted in DNS, a global distributed database that matches Web site URLs to a numerical IP address. DNS, which governs routing of all traffic on the Internet, contains billions of records, answers billions of queries and accepts millions of updates from millions of users on an average day.

DNS is a hierarchy of servers, including 13 master "root" servers. On the lower end of the hierarchy, every organization that has a domain name depends on the reliability of its own DNS name servers to maintain an Internet presence.

According to a survey conducted in June by DNS consulting and software company Men & Mice, 27 percent of Fortune 1000 companies have DNS configurations that put all their name servers on the same subnet - an independent segment of a larger network - which creates a single point of failure.

"When [corporate] name servers become unavailable the consequences can become disastrous," says Sigurdur Ragnarsson, CTO of Men & Mice. "A user typing in your domain name does not automatically get the corresponding IP number for the host computer. An e-mail will fail to find a mail server willing to accept the e-mail and it will bounce back to the sender. In other words, for all practical purposes your company has vanished from the face of the Internet."

Another aspect of the DNS problem is that the global database is attracting the interest of hackers.

"We see scanning all the time on DNS and other security points so we treat DNS security seriously," says Nhan Vo, network director of the Duke University Health System in Durham, N.C.

"The router, switches and DNS are the most critical infrastructure components on our network," Vo says, adding that he is comfortable with his DNS configuration that incorporates redundancy and failover.

But Vo's diligence is not the case everywhere. In January 2001, Microsoft Corp. was offline for nearly two days because its DNS configuration was on a single subnet, a fact that was first exposed by a router problem and then exploited by hackers launching denial-of-service (DoS) attacks to further embarrass Microsoft.

Ragnarsson says while DNS is not complex, it plays a more vital role in networks than indicated by the amount of time corporations dedicate to its upkeep.

Men & Mice finds a consistent percentage of corporate name servers that contain configuration errors or buggy DNS software that leave a company vulnerable to losing DNS service, DoS attacks and outright hijacking of name servers.

While attacks on DNS are not an everyday occurrence, SANS Institute's Dshield.org Web site, which collects reports of cracking attempts from all over the Internet, received reports of nearly 135,000 scans of DNS servers during the week of June 17.

Many experts say foundations of the Internet infrastructure, such as DNS, are starting to interest hackers who are getting bored with exploiting Web servers or e-mail software.

"With regards to security vulnerabilities, the black hats are exhausting the easy attacks and as time goes on, we will see larger numbers of attacks on more complex infrastructure like DNS," says David Conrad, CTO of Nominum, a DNS service provider.

"DNS attacks are something we'll see more and more of because even a couple of hours of downtime can have a serious impact on a company," says David Ellis, senior technical analyst for Carlson Shared Services, a travel, hospitality and marketing firm.

Network executives that want to protect themselves should check their DNS configurations and the versions of DNS software they run, Conrad says.

"How concerned companies are about DNS issues depends on how big the company is and for how long it is willing to be down - an hour, a day," says Martin Lindner, team leader for incident handling for CERT.

Lindner says every company should have a set of best practices it follows.

As with the Microsoft debacle, name servers should not be on the same subnet, but they also should not be behind a single router or on a single leased line. Servers should be spread out over a geographic area, preferably not in the same neighborhood or city in case a line cut or another accident or disaster knocks out significant portions of a metropolitan area.

Users also should run the latest DNS software or known stable versions of DNS software, a simple precaution many ignore, according to Men & Mice. The majority of name servers on the Internet run Berkeley Internet Name Domain (BIND). The stable versions are 8.2.5 and 9.2.1. Earlier this month, CERT issued a warning that BIND 9 contained a vulnerability that could let a hacker shut down a name server and advised users to upgrade to 9.2.1, which was released in May.

There are DNS software alternatives. VeriSign has its own called Atlas, and Microsoft developed DNS software as part of Windows 2000. There also is a freeware DNS called djbdns.

Running stable software also guards against attacks on DNS that insert false information in name servers, so-called cache poisoning and spoofing, which can redirect users to rogue Web sites. Protection against cache poisoning was added to Version 8.12 of BIND, but it is still an issue with Microsoft's DNS server.

Users should check the delegations within their name servers, so requests they can't answer are delegated to name servers that have the answer. So-called lame delegations can open users to cache poisoning.

The issue of DNS security is getting attention from the creator of the protocol. The Internet Engineering Task Force (IETF) has been working since 1996 on DNS Security Extensions (DNSSEC), a set of security tools for securing the protocol using public-key cryptography techniques. DNSSEC, however, has not found much acceptance. The first implementation was introduced with BIND 9.

Two weeks ago, the Internet Software Consortium, which distributes BIND free of charge, said the next version, 9.3, would include a technology called Delegation Signer, which makes it possible to scale DNSSEC. Also Nominum and VeriSign have proposed a DNS modification called Opt-In, that would let DNSSEC be deployed incrementally instead of all at once.

Security also has caught the eye of the Internet Corporation for Assigned Names and Numbers, which manages Internet addresses, among other things. Last month, it established the Security and Stability Advisory Committee to look into securing DNS and IP address allocation system.

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaFederal Bureau of InvestigationIETFInternet Corporation for Assigned Names and NumbersInternet Engineering Task ForceInternet Software ConsortiumMen & MiceMicrosoftSANS Institute

Show Comments