Measuring DNS: Measurement Factory's Fifth Annual Survey

DNS is the service no one thinks about but everyone uses. It's the possibly the largest federated, distributed data base known to man, yet its operation is relatively simple and straight forward. The Measurement Factory's Fifth annual DNS survey results, underwritten by Infoblox, indicates some interesting statistics on the state of DNS. The number of DNS servers on the Internet is up 40 percent in two years. That's a huge increase in DNS servers, and the more DNS servers in the world, the more opportunity for abuse by cretins bent on launching denial of service attacks (DoS).

The Measurement Factory attributes the rapid rise in DNS servers to the rise in broadband connections, increasing the number of consumer grade broadband routers that run caching DNS servers. The caching DNS server lessens the load on the ISP network and actually improves name resolution for home users. In fact, it's not uncommon for the broadband routers to offer DNS resolution for internal hosts and caching services from external hosts.

The downside is that along with the rise in the number of new DNS servers, there is a corresponding increase -- as much as 27.5 percent to 79.6 percent -- in the number of open recursive DNS servers, as well. While open recursive name servers aren't a problem per se, the open recursive servers can amplify a DoS. This is because DNS standards don't restrict the size of a DNS TXT (text) record, and the record type that is used for arbitrary text can be quite large. An attacker would create the large record in a zone they control and then send a DNS request to the recursive name server asking for that record. The recursive name server caches the response for later queries. All the attacker has to do is send query forging the victim IP address as the source.  The result is bandwidth starvation.  

The report also mentions that the number of DNS servers that allow zone transfers--a method that transfers the data of a zone from one host to another--is down  to 16 percent from 31 percent in 2008. Like open recursive servers, zone transfers aren't a bad thing, but they allow someone to learn about your zone and make DoS attacks easier.

The report says that the number of Microsoft DNS servers is to .37 percent and is positive. The assertion being that Microsoft Windows Servers are particularly vulnerable to attack, which was more true in the past than today. Besides, a DNS server with proper firewalls, ones that allow only UDP DNS traffic and randomized source port numbers, should be fairly resistant to attacks. Let's not forget that ISC's Bind doesn't have the most stellar vulnerability history, either. Of course, this survey considers DNS servers connected to the Internet. The Microsoft DNS server is very likely heavily deployed internally.DNSSEC is also up 300 percent, which sounds great, until we look at the numbers behind the number. According to the report, the number of signed zones in .com, .net, and .org rose from 45 in 2008 to 167 in 2009. According to Domain Tools' daily statistics page, the  total number of domain names is 103,589,808. The percentage of DNSSEC signed zones is which is 1.61212771 X 10^-6, or, a really tiny number. Unfortunately, the authors of the survey didn't include the two main ccTLD's, Sweden (.se) and Puerto Rico (.pr) about the number of their signed zones. The report did start to track the sizes of the keys and the algorithms used, which will be interesting to track over time.