Most of the results of our recent DNS Survey were pretty scary, especially the news that nearly 80% of the name servers we found in our sweep of 5% of the Internet’s address space were open to recursion. But the results contained some good news, too, and for that we should be thankful.
– Of those open recursors we found, almost 90% used source-port randomization, the most common mechanism used to combat cache poisoning in general, and the Kaminsky vulnerability in particular. Last year we found that a hair less than 24% of the open recursors we identified exhibited poor source-port randomization (e.g., none), and my friend Matt Larson’s study from the vantage point of the root name servers estimated that roughly 30% hadn’t been patched. Any decrease in the population of name servers vulnerable to cache poisoning is good news.
– The percentage of zones with name servers open to zone transfers dropped by almost half, from 31% last year to 16% this year. While not as serious a threat as open recursive name servers, name servers that are open to zone transfers are sometimes at risk of denial of service attacks.
– The percentage of name servers we fingerprinted as running some version of the Microsoft DNS Server dropped to 0.37% from 2.74% just two years ago. That’s really remarkable, given how pervasive the use of Windows operating systems is. This suggests that administrators realize that the Microsoft DNS Server, while useful “behind the firewall,” lacks features necessary to secure it when directly exposed to the Internet.
– The number of signed subzones of com, net, and org is increasing. In percentage terms, the rise is dramatic: about 270%. But in absolute terms, the increase is much less impressive, from 45 signed subzones last year to 167 this year. Still, that’s heartening evidence of broader deployment of DNSSEC. With the .org zone recently signed and .net due to be signed next year, as well as the availability of products that make the management of DNSSEC-signed zones easier, I’ll bet that we’ll see adoption accelerate by next year’s survey. (I’m also grateful to the Public Interest Registry for agreeing to participate in this year’s survey, and to VeriSign for their continued participation.)
I’m even hopeful that our alarming percentage of open recursors can and will be addressed quickly. If these open recursors are, in fact, customer premises equipment that carriers are deploying, there’s a good chance that those carriers have some kind of centralized control of those devices, or at the very least can change the default configuration the devices ship with. And there’s every reason to believe that the carriers want to do the right thing – after all, who would risk finding coal in his stocking?