The Trouble With BIND DNS Servers

Maybe it’s too much of a good thing, or just not enough knowledge. A new survey by DNS services vendor Infoblox has found that the vast majority of DNS servers today are using open source BIND DNS software.

Infoblox also found that a major portion of those servers are running with BIND misconfigured in such a way as to more easily enable DNS to be attacked.

According to Infoblox’s study, Microsoft’s DNS server software is losing market share. “We saw BIND [version] 9 go up to 65 percent from 61 percent; that is a result we hoped for,” Cricket Liu, author of “DNS and BIND Cookbook” and a vice president at Infoblox, told InternetNews.com. “But then we saw that the Microsoft DNS server usage fell in half and we didn’t expect that.”

BIND 9.x is the next iteration of BIND, which replaces the now legacy 8.x series. Infoblox found that BIND 8.x usage is on the decline at 5.6 percent this year down from 14 percent in 2006.

Microsoft’s DNS server usage declined to 2.7 percent of the DNS server marketplace, which is just over half the 5 percent market usage figure that Infoblox recorded for 2006.

BIND may rule the DNS roost, according to the study, it has its share of issues as well.

The Infoblox study revealed that more than half of all DNS servers allow for recursive queries. The reason why recursive queries shouldn’t be allowed unilaterally is the fact that they can be used to relay requests to other DNS servers and enable DNS pharming and poisoning attacks.

So-called phishers use DNS cache poisoning in an attack known as “pharming,” in which a “poisoned” DNS server redirects users to the phisher’s Web site. The “poison” is essentially false DNS information that is injected into a vulnerable DNS server.

According to Liu, the reason recursive queries are still an issue relates to both configuration and awareness.

“In the case of BIND name servers, there is no excuse as all modern BIND servers support fine access controls on recursive queries,” Liu explained. “And if you don’t do it, it’s because you didn’t take the time or you don’t know about the relevant mechanism.”

Liu cited education and complexity as culprits behind the lack of DNS Security Extensions. DNSsec is an approach that includes integrity and authentication checks against DNS data. Infoblox said only 0.002 percent of DNS servers have DNSsec running.

“It is really complex. It’s all command line based so you have to be quite handy at the shell prompt,” Liu noted. “The tool has gotten better in the newer versions of BIND but it still requires a lot of experience.”

The path to fixing the problems with BIND misconfigurations may lead to BIND developers themselves.

“BIND 9.4, for example, changes its defaults for recursive queries,” Liu explained. “So it only allows recursive queries that are sent from networks that the name server is directly connected to. It’s a great change and will require some configuration by admins, but for the Internet as a whole it’s terrific.”

But for Liu, default configuration alone may not be enough. “You also have to deal with education so people will be required to know a little bit more in order to get things configured correctly.”