Slashdot Log In
DNS Server Survey Reveals Mixed Security Picture
Posted by
kdawson
on Wednesday November 21, @07:57AM
from the buddy-can-you-spare-a-zone dept.
from the buddy-can-you-spare-a-zone dept.
Kurtz'sKompund writes in with word on the latest annual survey of the state of DNS on the Net. The survey, commissioned by infrastructure appliance vendor Infoblox, found that the use of Windows DNS Server in Internet-facing applications has fallen off dramatically as more users act on concerns about security. BIND 9, the latest version, gained against earlier, less secure versions. But in other dimensions, DNS practices showed little improvement from a security point of view. Hardly anyone is using DNSSEC; and 31% of nameservers allow promiscuous zone transfers, a number little changed from last year. Here's a video of an interview with Infoblox's chief architect Cricket Liu on the state of DNS.
Related Stories
DNS Server Survey Reveals Mixed Security Picture
|
Log In/Create an Account
| Top
| 109 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
I hate video without transcripts (Score:2, Interesting)
Security? It's quite simple (Score:5, Informative)
(http://www.primary0.com/)
2) Put restrictions on recursive queries.
3) Lock down box.
4) Profit.
Re:Security? It's quite simple (Score:4, Funny)
Re:Security? It's quite simple (Score:5, Funny)
(http://www.cooldark.com/ | Last Journal: Monday April 26 2004, @05:31PM)
Hypotheses != data (Score:3, Insightful)
The HYPOTHESIS is that this is motivated by security concerns.
Conflating the two, as the summary does, is frankly retarded and exceptionally bad practice.
DNSSEC is dead, let's move on (Score:5, Informative)
Until registrars figure out how to securely regsister and manage keys, DNSSEC is DoA
Until zone managers start signing zones, DNSSEC won't achieve critical mass
Without critical mass, uneven DNSSEC deployment has no value
Without stub resolver support, DNSSEC is meaningless
Until all the above happen, there is no business case for DNSSEC and TLD owners won't deploy it.
From the local LDAP Finatic (Score:2)
This is a failing of Bind.
Promiscuous zone transfers - just say no (Score:3, Informative)
If you're server is handing out zones to anyone and everyone, you might want to check you're not offering recursion to everyone as well (see allow-recursion {}; ). http://www.oreilly.com/catalog/dns4/chapter/ch11.html [oreilly.com].
DIY (Score:1)
them. Or create a forum where they can all participate and ask them to join. Otherwise it won't get changed until there's a large worm outbreak that uses the vulnerability.
Cricket Liu (Score:5, Informative)
(http://www.dutchvirtual.nl/ | Last Journal: Friday August 10, @07:04AM)
What I also like about Cricket Liu (and Paul Albitz) is that they explain the domain name system really well in an understandable way.
Good timing... (Score:2)
(http://www.cooldark.com/ | Last Journal: Monday April 26 2004, @05:31PM)
Pretty poor redundancy - goes to show you can't even trust the big players to get it right, and probably should run your own nameservers within your domains too, just in case...
A good example of "begging the question" (Score:1, Interesting)
How do I know? (Score:3, Interesting)
I would like to run some checks against my domain and see if any of this applies to me. Can anyone recommend sites, utilities or linux commands to test it?
Would have been nice to include this info in the 'article' or even the summary, instead of just saying how un-secure everything is. Again.
Thanks.
MyDNS owns (Score:2)
They solve the recursion problem by not supporting it; it is only for the master.
Use djbdns, watch your security problems vanish (Score:1)
(http://reactor-core.org/)
I sat down last week and installed djbdns. I thought it would be a big hairy project, like learning BIND was. Back in the day, before Slashdot existed, I used Cricket's book on BIND. Good book, but BIND is finicky and the book is THICK.
Anyhow, in a couple hours I had djbdns installed and working. I had to keep checking. I couldn't believe it was that easy. But it was. djbdns doesn't allow recursive queries or zone transfers by default. djbdns has privilege separation, just like qmail. The configuration is a breeze. The file format is very robust and easy to edit. Most knobs and configuration items can be configured by using "echo" to echo values into little files in the configuration directory.
djbdns doesn't need restarting like bind does. djbdns doesn't die and restart; you can run "svc -t /service/tinydns" and it rereads the configuration instantly and starts serving it with changing its process ID.
I wish I'd installed djbdns years ago. If not for the licensing issues, it would have taken over the world and we'd have a much safer internet. djbdns even prevents cache poisoning, an old technique for hijacking domain names.
Makes sense to me (Score:1)
Why are we talking about DNSSEC? (Score:2)
(http://grendel.dyndns.org/)
Hand-waving "security" theatre (Score:2)
(http://www.faqs.org/rfcs/rfc3675.html)
Internet-visible DNSSEC improves security how, exactly, if the top-level domains don't support it?
Oh, and some of us allow "promiscuous zone transfers" because the only information we make publicly available in the DNS is information that is, you know, public.
Good security involves making sure that legitimate users don't get a false sense of security. One way to do that is to avoid providing features that look like they provide strong confidentiality or integrity without actually doing so.