Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Measuring DNS: Measurement Factory's Fifth Annual Survey

DNS is the service no one thinks about but everyone uses. It's the possibly the largest federated, distributed data base known to man, yet its operation is relatively simple and straight forward. The Measurement Factory's Fifth annual DNS survey results, underwritten by Infoblox, indicates some interesting statistics on the state of DNS. The number of DNS servers on the Internet is up 40 percent in two years. That's a huge increase in DNS servers, and the more DNS servers in the world, the more opportunity for abuse by cretins bent on launching denial of service attacks (DoS).

The Measurement Factory attributes the rapid rise in DNS servers to the rise in broadband connections, increasing the number of consumer grade broadband routers that run caching DNS servers. The caching DNS server lessens the load on the ISP network and actually improves name resolution for home users. In fact, it's not uncommon for the broadband routers to offer DNS resolution for internal hosts and caching services from external hosts.

Drawing1.jpgThe downside is that along with the rise in the number of new DNS servers, there is a corresponding increase -- as much as 27.5 percent to 79.6 percent -- in the number of open recursive DNS servers, as well. While open recursive name servers aren't a problem per se, the open recursive servers can amplify a DoS. This is because DNS standards don't restrict the size of a DNS TXT (text) record, and the record type that is used for arbitrary text can be quite large. An attacker would create the large record in a zone they control and then send a DNS request to the recursive name server asking for that record. The recursive name server caches the response for later queries. All the attacker has to do is send query forging the victim IP address as the source.  The result is bandwidth starvation.  

The report also mentions that the number of DNS servers that allow zone transfers--a method that transfers the data of a zone from one host to another--is down  to 16 percent from 31 percent in 2008. Like open recursive servers, zone transfers aren't a bad thing, but they allow someone to learn about your zone and make DoS attacks easier.

The report says that the number of Microsoft DNS servers is to .37 percent and is positive. The assertion being that Microsoft Windows Servers are particularly vulnerable to attack, which was more true in the past than today. Besides, a DNS server with proper firewalls, ones that allow only UDP DNS traffic and randomized source port numbers, should be fairly resistant to attacks. Let's not forget that ISC's Bind doesn't have the most stellar vulnerability history, either. Of course, this survey considers DNS servers connected to the Internet. The Microsoft DNS server is very likely heavily deployed internally.

  • 1