Top-line results indicate that despite the fact that most organizations arerunning recent versions of BIND and no longer using Microsoft DNS Serversfor their external DNS servers, many organizations have not taken thenecessary precautions to limit access to recursion or secure zonetransfers. In addition, many still have not upgraded to the latest DNSsoftware to protect against the recently discovered Kaminsky vulnerabilityand associated risk of DNS cache poisoning.

"Given the heightened awareness of DNS server vulnerabilities due to therecent Kaminsky discovery, it is surprising to see how many organizationsare still leaving their DNS systems as potential victims of attack,"commented Cricket Liu, Vice President of Architecture at Infoblox andauthor of O'Reilly & Associates' DNS and BIND, DNS & BIND Cookbook, and DNSon Windows Server 2003. "Even if an enterprise has gone to the trouble ofpatching against the Kaminsky vulnerability, there are many other aspectsof configuration, like recursion and open zone transfers, that should alsobe secured. If not, organizations are essentially locking their door totheir house, but leaving the windows wide open. Organizations clearly needto pay more attention to configurations and deployment architectures thatare leaving their DNS infrastructures vulnerable to attacks and outages."

DNS servers are essential network infrastructure that map domain names(e.g., yahoo.com) to IP addresses (e.g., 66.94.234.13), directing Internetinquiries to the appropriate location. Domain name resolution conducted bythese servers is required to perform any Internet-related request, whetherfor Web browsing, email, ecommerce, or cloud computing. Should anenterprise or organization's DNS systems become compromised by attacks, theresults can be devastating, ranging from loss of a company's Web presence,inability of employees to access any outside Web services, and perhaps mostdamaging, redirection of Web and email traffic to bogus sites, resulting indata loss, identity theft, ecommerce fraud and more.

Following are the key 2008 DNS survey results, which are based on a samplethat included 5 percent of the IPv4 address space, nearly 80 millionaddresses.

GOOD NEWS

-- 90% of name servers that run BIND run one of the most recent versions of BIND 9; a small but significant number of administrators continue to run older versions of BIND on Internet-facing name servers, putting their organizations at risk.-- Only .17% still rely on Microsoft DNS Server, down from 2.7% (2007); usage of unsecure Microsoft DNS Servers connected to the Internet is vanishing.-- Support for Sender Protection Framework (SPF) within DNS for spam reduction increased from 12.6% of zones sampled to 16.7%; despite the complexity of SPF configuration, validating email senders is increasing in importance and organizations are taking email fraud seriously.

BAD NEWS

-- One in four DNS servers does not perform source port randomization -- the "patch" for "the Kaminsky vulnerability"; the effort by vendors and the Internet's DNS community to encourage administrators to upgrade their name servers after the announcement of the Kaminsky vulnerability paid off; however, a surprising number have not been upgraded and are very vulnerable to cache poisoning.-- More than 40% of Internet name servers allow recursive queries; there are still millions of open recursors on the Internet, a danger both to themselves and others -- they are vulnerable to cache poisoning and Distributed Denial of Service attacks.-- 30% of DNS servers surveyed allow zone transfers to arbitrary requestors; this leaves servers as easy targets for denial-of-service attacks.-- Only .002% of DNS zones tested support DNSSEC; administrators have not been convinced of its importance -- perhaps intimidated by its complexity -- but new mandates could mean a significant change in the near future.

MISC.

-- Usage of IPv6 name servers continues to increase from .27% to .44%; while enterprises are investigating IPv6 and concerned about increasingly scarce IPv4 address space, adoption of IPv6 is still low -- address scarcity isn't yet considered a serious concern and they feel no urgency to adopt IPv6.

Call to Action

Based on these statistics, there are some clear calls to action fororganizations with external DNS servers. Instead of waiting until they areattacked, all organizations should assess their DNS infrastructure andimmediately take the necessary steps to make them more reliable and secure.Infoblox provides a number of free, automated tools that enableorganizations to test their DNS infrastructure and identify weaknesses andvulnerabilities. These tools and many other resources, as well as thecomplete DNS Survey results are available on the Infoblox.com Web site at:http://www.infoblox.com/library/dns_resources.cfm.

About Infoblox

Infoblox appliances deliver utility-grade core network services, includingdomain name resolution (DNS), IP address assignment and management(IPAM/DHCP), authentication (RADIUS) and related services. Infobloxsolutions, which provide the essential "glue" between networks andapplications, are used by over 2,300 organizations worldwide, includingover 100 of the Fortune 500. The company is headquartered in Santa Clara,Calif., and operates in more than 30 countries. For more information, call+1.408.625.4200, email info@infoblox.com, or visit www.infoblox.com.

About The Measurement Factory

The Measurement Factory provides a variety of products and services relatedto Internet testing and measurement, with a current focus on DNS, HTTP, andICAP. Most of the Factory's products are available under open-sourcelicenses. For more information, call +1-303-938-6863, emailinfo@measurement-factory.com, or visit www.measurement-factory.com.

PRESS RELEASEMedia Contacts:Jennifer JasperInfoblox408.625.4309Email Contact