Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
The Internet Security IT

DNS Server Survey Reveals Mixed Security Picture 109

Posted by kdawson from the buddy-can-you-spare-a-zone dept.
Kurtz'sKompund writes in with word on the latest annual survey of the state of DNS on the Net. The survey, commissioned by infrastructure appliance vendor Infoblox, found that the use of Windows DNS Server in Internet-facing applications has fallen off dramatically as more users act on concerns about security. BIND 9, the latest version, gained against earlier, less secure versions. But in other dimensions, DNS practices showed little improvement from a security point of view. Hardly anyone is using DNSSEC; and 31% of nameservers allow promiscuous zone transfers, a number little changed from last year. Here's a video of an interview with Infoblox's chief architect Cricket Liu on the state of DNS.
This discussion has been archived. No new comments can be posted.

DNS Server Survey Reveals Mixed Security Picture More

DNS Server Survey Reveals Mixed Security Picture

Comments Filter:

  • I hate video without transcripts (Score:2, Interesting)

    by Anonymous Coward on Wednesday November 21, 2007 @09:05AM (#21433711)
    Damned videos. I want to *read* the article at my own (faster) pace, not have to listen to some doofus talk about it.

  • A good example of "begging the question" (Score:1, Interesting)

    by Anonymous Coward on Wednesday November 21, 2007 @10:03AM (#21434141)
    Are there any real-world security differences between a fully-patched Windows DNS server and a fully-patched BIND server? TFA assumes there are, but doesn't provide any examples. Since Windows DNS is a competitor to Infoblox, which runs BIND, you can see why this is the case.

  • How do I know? (Score:3, Interesting)

    by Aladrin ( 926209 ) on Wednesday November 21, 2007 @10:22AM (#21434319)
    How do I know if my provider is using unsafe DNS practices?

    I would like to run some checks against my domain and see if any of this applies to me. Can anyone recommend sites, utilities or linux commands to test it?

    Would have been nice to include this info in the 'article' or even the summary, instead of just saying how un-secure everything is. Again.

    Thanks.

  • Re:Hypotheses != data (Score:3, Interesting)

    by Bert64 ( 520050 ) <bert@[ ]shdot.fi ... m ['sla' in gap]> on Wednesday November 21, 2007 @10:59AM (#21434731) Homepage
    True, and Bind has had many more vulnerabilities. But going purely on vulnerabilities, we should probably all be running djbdns.

    But what is also important to consider is what requirements a given dns server has and assuming that there will be vulnerabilities in the dns implementation, what you can do to mitigate it.

    Windows DNS requires RPC (which was the cause of the vulnerability as you point out) and requires many other default windows components, many of which are difficult/impossible to remove and have no valid reason to be on a dns server. Bind by contrast has very few other requirements, and is often found on small embedded systems.

    Windows DNS only runs on windows, of which there are a relatively small number of versions (for purposes of calculating offsets when exploiting buffer overflows and the like) current versions run on only 3 (x86, x86-64, itanium) hardware platforms. Bind runs on virtually any OS, and subsequently on many different types of hardware too.

    Windows DNS usually runs as SYSTEM (can it run as any other user?), Bind can be run inside of a chroot and usually runs as an unprivileged user, and this is the default on some systems.

  • Re:DNSSEC is dead, let's move on (Score:2, Interesting)

    by Steve Crocker ( 1192477 ) on Wednesday November 21, 2007 @03:06PM (#21438449)
    I wouldn't choose quite the same language, but I think the specifics are on target. We do indeed need to get the TLDs signed, we do indeed need to have registrars accept keys from registrants -- see below for a bit more -- and we do indeed need for stub (or recursive) resolvers ask for signed responses and make use of them. Here's a few details that suggest the picture is not so bleak. 1. A few TLDs are signed and more are coming. When the NSEC3 RFC is published, more TLDs will sign their zones. 2. We are beginning to work with registrars. In addition to providing a path for enterprises to convey their keys (or fingerprints), there will also have to be support for those registrants who do not manage their own zones. That is, for the many, many registrants who depend on the registrar to manage their zones, the registrars will also have to provide DNSSEC service. I expect to see successful worked examples in six months, give or take. 3. There is work underway to have DNSSEC implemented in the major end user systems. Steve Crocker Co-chair, DNSSEC Deployment Working Group

  • Re:Hypotheses != data (Score:3, Interesting)

    by dave562 ( 969951 ) on Wednesday November 21, 2007 @04:33PM (#21439629) Journal
    The Windows admins I've encountered are hopeless when it comes to DNS (blaming every strange issue they encounter on DNS, for example). Best current practice over here is to never have Active Directory and public DNS interact. The Windows types can break Active Directory all they want, and the real DNS service is managed by people with a clue.

    This is a very true statement. As a pretty much clueless when it comes to DNS Windows admin I would never try to host internet facing DNS with Windows DNS. What I do is setup all of the AD domains with .local and use forwarders that point to real DNS servers to resolve anything that isn't on the local network. Like everything else Microsoft related, the MS version of the technology is there to let the MS boxes talk to each other. When you want your boxes to go play in the real world, it is best to hand that responsibility over to something running *nix.

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close