DNS Server Survey Reveals Mixed Security Picture

← Back to Stories (view on slashdot.org)

DNS Server Survey Reveals Mixed Security Picture

Posted by kdawson on Wednesday November 21, 2007 @12:57AM from the buddy-can-you-spare-a-zone dept.

Kurtz'sKompund writes in with word on the latest annual survey of the state of DNS on the Net. The survey, commissioned by infrastructure appliance vendor Infoblox, found that the use of Windows DNS Server in Internet-facing applications has fallen off dramatically as more users act on concerns about security. BIND 9, the latest version, gained against earlier, less secure versions. But in other dimensions, DNS practices showed little improvement from a security point of view. Hardly anyone is using DNSSEC; and 31% of nameservers allow promiscuous zone transfers, a number little changed from last year. Here's a video of an interview with Infoblox's chief architect Cricket Liu on the state of DNS.

4 of 109 comments (clear)

Min score:

Reason:

Sort:

Hypotheses != data by gazbo · 2007-11-21 01:05 · Score: 3, Insightful

The DATA shows certain changes in nameserver choice.
The HYPOTHESIS is that this is motivated by security concerns.
Conflating the two, as the summary does, is frankly retarded and exceptionally bad practice.
Re:Promiscuous zone transfers - just say no by AVee · 2007-11-21 02:00 · Score: 2, Insightful

Yeah, one of those lovely best practices. Prohibit promiscuous zone transfers, because no-one will ever guess you name your webservers www1 to www8 and your database servers db1 to db6. And because it is really hard to add or substract 1 from an ip addres. Unless you are generating random hostnames and using random IPv6 adresses it is pretty naive to think prohibiting zone transfers will help you security.

And whatever else there is to say about it, it's still nothing but security by obscurity. Most burglars don't know where I live, do you really believe that significantly lowers the risk someone breaks into my house?
Re:Promiscuous zone transfers - just say no by MadMidnightBomber · 2007-11-21 06:06 · Score: 2, Insightful

You're right, in that you should ideally use distinct public and private views. If a machine is internal-only, it doesn't go in the public view of DNS.

I say disable it, because a) Cricket Liu says so, and he knows what he's talking about, and b) because it's one of the first things I do when I'm performing a pen-test. There's often a heap of useful (to an attacker) info in there, that can be turned off with two minutes of your time as an admin.

--
"It doesn't cost enough, and it makes too much sense."
Re:Promiscuous zone transfers - just say no by rk · 2007-11-21 07:16 · Score: 2, Insightful

And whatever else there is to say about it, it's still nothing but security by obscurity. Most burglars don't know where I live, do you really believe that significantly lowers the risk someone breaks into my house?
Allowing promiscuous zone transfers is more akin to posting the layout of your house on your front door, possibly including which picture the safe is behind. You're right that it doesn't really reduce or increase your chances of being victimized, but if you get chosen by the bad guys, why hand them a map? There's nothing wrong with security through obscurity, as long as its not your only means of defense. In any case, it's not like it's terribly difficult to secure BIND to allow transfers to authorized clients only:

acl "xfer-allowed" { ipaddr1; ipaddr2; . . }; options { . . . allow-transfer { "xfer-allowed";}; };

And you're done. What's so objectionable about that?