Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Server Survey Reveals Mixed Security Picture

Posted by kdawson on from the buddy-can-you-spare-a-zone dept.

Kurtz'sKompund writes in with word on the latest annual survey of the state of DNS on the Net. The survey, commissioned by infrastructure appliance vendor Infoblox, found that the use of Windows DNS Server in Internet-facing applications has fallen off dramatically as more users act on concerns about security. BIND 9, the latest version, gained against earlier, less secure versions. But in other dimensions, DNS practices showed little improvement from a security point of view. Hardly anyone is using DNSSEC; and 31% of nameservers allow promiscuous zone transfers, a number little changed from last year. Here's a video of an interview with Infoblox's chief architect Cricket Liu on the state of DNS.

6 of 109 comments (clear)

  1. Security? It's quite simple by p0 · · Score: 5, Informative

    1) Put BIND in jail.
    2) Put restrictions on recursive queries.
    3) Lock down box.
    4) Profit.

    --
    This is my sig. There are thousands more, but this one is mine.
    1. Re:Security? It's quite simple by ArsenneLupin · · Score: 3, Funny

      1) Put BIND in jail. What crime does it have committed?
    2. Re:Security? It's quite simple by tttonyyy · · Score: 4, Funny

      1) Put BIND in jail. What crime does it have committed? I called it a name and it went all IPv6 on me.
      --
      biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
  2. Hypotheses != data by gazbo · · Score: 3, Insightful
    The DATA shows certain changes in nameserver choice.

    The HYPOTHESIS is that this is motivated by security concerns.

    Conflating the two, as the summary does, is frankly retarded and exceptionally bad practice.

  3. DNSSEC is dead, let's move on by hal9000(jr) · · Score: 4, Informative

    Until TLD's start signing zones, DNSSEC won't see the light of day.
    Until registrars figure out how to securely regsister and manage keys, DNSSEC is DoA
    Until zone managers start signing zones, DNSSEC won't achieve critical mass
    Without critical mass, uneven DNSSEC deployment has no value
    Without stub resolver support, DNSSEC is meaningless
    Until all the above happen, there is no business case for DNSSEC and TLD owners won't deploy it.

  4. Cricket Liu by cerberusss · · Score: 4, Informative

    Cricket Liu is a real authority. He's one of the authors of DNS and Bind which is the must read for anyone administrating a domain server. Just following the first couple of chapters and you'll have a robust server.

    What I also like about Cricket Liu (and Paul Albitz) is that they explain the domain name system really well in an understandable way.

    --
    8 of 13 people found this answer helpful. Did you?