Consider yourself a normal network manager? Cornell researchers say your public email, web sites, etc. depend on 46 domain name servers keeping everything straight… even though you control only two. And that’s the good news.

An attacker doesn’t even need to touch your admirably controlled nameservers to steal your business. In the October 2005 proceedings of Internet Measurement Conference, Venugopalan Ramasubramanian and Emin Gun Sirer pointed out that 30% of domain names can be hijacked by exploiting known vulnerabilities in just two of the 46 servers (due to intrazone dependencies). Compromising any nameserver in your delegation scheme, they claim, can lead to hijacking your domain name for pharming, phishing or any other ne-pharious plot.

As an example, they observe:

The domain fbi.gov indirectly depends on a server belonging to telemail.net, which is vulnerable to four well-known exploits. A malicious agent can easily compromise that server, use it to hijack additional domains, and ultimately take control of FBI’s namespace.

The fbi.gov domain is served by two machines named dns.sprintip.com and dns2.sprintip.com. The sprintip.com domain is in turn served by three machines named reston-ns.telemail.net. Of these machines, reston-ns2. telemail.net is running an old nameserver (BIND 8.2.4), with four different known exploits against it (libbind, negcache, sigrec, and DoS multi). Having compromised reston-ns2, an attacker can divert a query for dns.sprintip.com to a malicious nameserver, which can then divert queries for www.fbi.gov to any other address, hijacking the FBI’s website and services.

As if that’s not bad enough, the Cornell team points out that ten percent of domain names out there are served by only one unassailable nameserver in the pack.

Cornell researchers aren’t the only worry-warts. A recent DNS survey by the Measurement Factory concluded:

  • 33% of domain names depend on nameservers that are planted on the same subnet.
  • 43% of domain nameservers are running out-of-date easily exploited software.
  • 40% of nameservers allow zone transfers by non-authenticated unknown requestors.
  • 40% of intrazone records do not properly match the domain’s zone records.
  • 75% of nameservers happily provide recursive name service to all comers.

If it can happen to J. Edgar’s gang, it can happen to you. Nearly every domain name on the planet can be hijacked directly or indirectly through cache poisoning, denial of service attack, or exploiting known vulnerabilities.

Of course, you can reduce the odds by designing the simplest DNS scheme possible, provisioning a number of geographically dispersed nameservers, and testing your DNS scheme regularly to assure accuracy.

To take a bit of the sting from your effort, we’ve added two online DNS debugging helpers to our free Online Spam Fighting Tools:

  • ZoneCheck (AFNIC) checks your authoritative nameserver, your list of secondary nameservers, and email delivery. Includes a batch mode, too.
  • DNS Sleuth (Martin Mares) detects the most common errors in DNS zones, and points you to the solutions.

ZoneCheck and DNS Sleuth supplement our old favorite, Dig (Men and Mice). When you don’t understand what the heck Dig’s telling you, ZoneCheck and DNS Sleuth come in real handy.

Refs: