sjb007

More than 10 percent of the Internet's DNS servers are still vulnerable to cache-poisoning attacks, according to a worldwide survey of public-facing Internet nameservers.

That's despite it being several months since the vulnerabilities were disclosed and fixes made available, said DNS expert Cricket Liu, vice president of architecture for Infoblox, which commissioned the annual survey.

"We estimate there's 11.9 million nameservers out there, and over 40 percent allow open recursion, so they accept queries from anyone. Of those, a quarter are not patched. So there's 1.3 million nameservers that are trivially vulnerable," said Liu.

Other DNS servers may well allow recursion, but are not open to everyone, so they were not picked up by the survey, he said.

Liu said the cache-poisoning vulnerability, which is often named after Dan Kaminsky, the security researcher who published details of it in July, is genuine: "Kaminsky was exploited within days of being made public," he said.

Modules targeting the vulnerability have been added to the hacking and penetration testing tool Metasploit, for instance. Ironically, one of the first DNS servers compromised by a cache poisoning attack was one used by Metasploit's author, HD Moore.

For now, the antidote to the cache-poisoning flaw is port randomisation. By sending DNS queries from varying source ports, this makes it harder for an attacker to guess which port to send poisoned data to.
However, this is only a partial fix, Liu warned. "Port randomisation mitigates the problem but it doesn't make an attack impossible," he said. "It is really just a stopgap on the way to cryptographic checking, which is what the DNSSEC security extensions do.

Full article here - http://www.techworld.com/news/index....&NewsID=106883