Study: Most Organizations Still Vulnerable To DNS Cache-Poisoning Attacks

Less than 0.02 percent of the Internet has adopted DNSSEC thus far

DNSSEC might finally be making progress at the top-level domains, but a new study shows overall adoption still represents only a tiny fraction of the Internet, leaving most organizations still at risk of DNS cache-poisoning attacks.
Less than 0.02 percent of DNS zones are DNSSEC-enabled, and 96 percent of these failed validation because their DNSSEC signatures had expired, according to data gathered by Infoblox and The Measurement Factory.
DNSSEC is considered the best defense against DNS cache-poisoning threats first brought to light more than a year ago by renown researcher Dan Kaminsky. While the Infoblox IP survey found DNSSEC adoption has jumped 340 percent this year, it still has a long way to go.
Cricket Liu, vice president of architecture at Infoblox and a DNS expert, says the survey also took a first look at whether the existing DNSSEC implementations out there were up and running. The surprising thing about DNSSEC adoption is we saw numbers continue to go up ... but from minuscule to less-minuscule rates, Liu says. This was the first time we took a look at the ability to validate data in those DNSSEC signed zones, and almost 25 percent failed validation because of expired signatures. That was disappointing.
He says the takeaway is that some of these organizations might have been testing DNSSEC as an experiment. What this says is that with some tools DNSSEC can be hard to do, he says. With one-fourth of the zones expired, that shows that resigning with DNSSEC isnt automatic ... and people set it up once to experiment with it, and then walked away.
Kaminsky, meanwhile, has been working to make DNSSEC deployment simpler. He recently released a
free toolkit called Phreebird Suite 1.0
that lets organizations test-drive DNSSEC deployment and also demonstrates his claims that the protocol is not difficult to implement. Phreebird Suite 1.0 is a real-time DNSSEC proxy that sits in front of a DNS server and digitally signs its responses.
The Infoblox survey also found nearly 75 percent of all DNS name servers reside in a single authoritative zone, leaving them open to a single point of failure. This is a very bad thing, Liu says. If there were to be a problem or fault in the routing infrastructure, they could lose their Internet presence.
Still missing from some networks are the basic network configurations needed for DNSSEC, Liu says: Nearly 20 percent of name servers dont allow TCP queries, and 26.4 percent dont support the Extended Mechanisms for DNS protocol.
Infoblox recommends organizations prepare for DNSSEC adoption and upgrade to the newest version of BIND, use port randomization,separate internal and external name servers, and separate authoritative and recursive DNS name servers. For more information on DNS best practices, visit this
site
.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Study: Most Organizations Still Vulnerable To DNS Cache-Poisoning Attacks