I was lucky enough to start off this week on an interesting note. Based on what I’ve heard from CERT-FI, UltraDNS (a US based company providing DNS as service) is planning on sending a name query to every single IP address in the world. Apparently, their aim is to quantify the number of DNS servers globally: the test will be conducted by sending an UDP packet to port :53 querying for the PTR resource record. Their logic is that if a DNS server is located behind a given IP, it is likely to answer the query.
While I hate being the party pooper, I’m sorry to tell UltraDNS that in the real world, this approach will not provide them with any meaningful or even remotely accurate results. Why? Well, simply because the world is so full of insecure DNS servers with incorrectly configured reverse entries that a test such as this will be hugely inaccurate. This is not only lip service either, as we’ve accumulated quite a bit of evidence of this during the last six months or so.
Since last September, our website (www.nixusoftware.com) has received hundreds of thousands of requests originating from 156 different TLDs. Can you guess the domain from which the highest percentage of the requests have originated?
Well, both “.com” and “.net” were good guesses and they do make it to our Top 3. However, “unresolved numerical address” outpaces “.com” by nearly 30% and comes out as the clear winner, as nearly 25% of all requests originate from this mystery domain.
In fairness, though, there’s nothing gnomic about “unresolved numerical addresses”. Plain and simple, it only means that someone hasn’t been doing their homework properly and has misconfigured the reverse DNS entries in their DNS. If the reverse DNS has been inappropriately configured, it becomes impossible to trace back the name of the host and all one ends up with is a measly IP. I’m sure UltraDNS will also find this out in due course.
Meanwhile, please feel free to take our flagship DNS and IP address management solution – the virtualization-ready Nixu NameSurfer Suite – for a spin. It’s equipped with all the goodies and comes with a huge number of automatized features; e.g. automated creation of reverse DNS entries and automated provisioning of the next available IP when adding a new host (we actually use reverse DNS for the latter feature!).
Most organizations running their own DNS servers do not know much about the traffic those servers are being subjected to. As long as the DNS servers are not too badly bogged down by the number of queries they receive and answer, everything is hunkey dorey and the existing DNS servers may continue humming along in the broom closet.
Something wrong with this picture?
Well, at least at Nixu Software we think so. One of the best ways to determine whether your DNS servers have been appropriately secured and managed is to analyze the network traffic that your DNS servers are being exposed to. After all, it will not be too long before the vulnerabilities in your public DNS servers will be discovered by the hacking community and their exploitation may begin. The recent recursive DoS attack of February 2007 serves as a prime example of this.
Most of the DNS servers participating in the recursive DoS attack did so because they were configured to allow recursive name resolution from any host that cared to send a query to them. As these servers were insecurely configured to begin with, and as no one was analyzing the DNS traffic these servers were exposed to (e.g. any abnormalities in the number of queries, their origin), most organizations never realized that their servers had been used in an orchestrated attack against the DNS root. In legal terms, I think this would qualify as negligence.
To make it as easy and as cost-efficient as possible for organizations to put their house in order, we introduced a new version of Nixu Secure Name Server (SNS) last week. The WebUI of Nixu SNS 1.2 is equipped with a user-friendly DNS statistics utility that allows network administrators to monitor the traffic that their DNS server is being exposed to. This is a great feature for anyone wishing to know what’s going on with their DNS.
To download the ISO image of Nixu SNS for free trial, please click here.
To install Nixu SNS, all you have to do is to boot a x86 or a virtual machine using the ISO image. The package auto-installs the entire DNS server package (incl. CentOS Linux OS specifically hardened for DNS) in just 10 minutes, after which you’re good to go.
As a follow up to my recent comments on the Windows DNS server vulnerability announced last week, I stumbled accross a blog entry at Microsoft Security Response Center Blog in which Christopher Budd of Microsoft hopes that they will be able to patch up the Windows DNS server vulnerability by May 8 2007 along with their May monthly bulletin release.
Of course, this is only unofficial speculation at this stage, as Microsoft has not officially committed to any specific release date. However, I suppose it’s good to know the time frame in which they hope to solve this problem: as the fix is still several weeks away, please be proactive in your efforts to secure your DNS servers. Simply crossing your fingers and hoping for the best won’t make this security threat go away.
According to several sources, there are now worms out there that exploit the recent vulnerability found from the Windows DNS server. What’s worse, this security threat isn’t restricted to public Windows-based DNS servers, as also internal Windows DNS servers (in intranets) are vulnerable due to the DNS / RPC attack vector. At the time of writing, Microsoft is yet to release a patch so please make sure that you protect your Windows DNS servers as per the advisories issued on this topic.
For more info on attack codes and worms exploiting this vulnerability, please visit the following links:
Please make sure your own DNS servers are protected, as this vulnerability may also be used for DDoS attacks whose impact will not be restricted to your organization.
Last week, Microsoft announced a new vulnerability in RPC on Windows DNS server which may allow remote code execution. For further details, please see related Microsoft Security Advisory 935964. This security flaw affects DNS server service in Microsoft Windows 2000 Server Service Pack 4, Windows 2003 Server Service Pack 1, and Windows 2003 Server Service Pack 2. More discussion on the topic can be found from Diary Archive at SANS Internet Storm Centre:
Generally speaking, one of the underlying problems behind vulnerabilities such as this is the fact that many organizations operate their DNS service on a server that offers a number of other network services in addition to DNS. This is rather problematic because the approach doesn’t allow the servers to be hardened for a specific task (e.g. DNS) which makes them vulnerable to a larger number of security flaws.
This is one of the primary reasons why Nixu Software as well as the SANS Institute recommends that public DNS service should be run on dedicated, hardened servers that are purpose-built for DNS. While this deployment strategy may have been cost-prohibitive previously due to the larger number of physical servers that were required for the deployment, virtualization technologies now allow pretty much all organizations to set up dedicated virtual machines that can be used to run e.g. the DNS service.
If you would like to try out virtualized DNS in your organization, please download Nixu Secure Name Server (SNS) for free evaluation today. The ISO image that you download contains the entire software stack from O/S (hardened CentOS) to application. As you boot up a clean virtual machine with our ISO image, the package auto-installs a secure, dedicated DNS server in just 10 minutes. At $495 (US) per server per year, installing secure DNS servers has never been this easy or cost-efficient.
Last week, we released a new 5.6.1 version of our flagship product, Nixu NameSurfer Suite. While the latest product release introduced several major enhancements such as a modernized look&feel, a new network-based API, and redesigned tools for the management of remote DNS and DHCP servers, in our view the most important step we took was related to how our flagship product is distributed. Namely, Nixu NameSurfer Suite can now be had also as a self-installing ISO image that contains the entire software stack from OS (hardened CentOS) to application and works beautifully on virtualization platforms (VMware, Xen, Parallels) as well as industry-standard x86 servers.
Better yet, our customers can now start operating virtualization platforms in which Nixu NameSurfer Suite and Nixu SNS are run alongside as virtual machines. As modern x86 servers come with plenty of memory and powerful CPU(s), and as new O/S releases such as RHEL 5, CentOS 5 and Microsoft Vista support virtualization, organizations no longer need to run a large number of physical servers to obtain the level of redundancy and performance they are looking for. Rather, they can consolidate several servers (e.g. hidden primary DNS server, authoritative DNS server, caching DNS server) on a single physical box. Setups such as this improve the rate of server utilization, are easier to deploy, require less maintenance, and are more energy-efficient thereby translating to a reduced total cost of ownership.
To further improve the server virtualization proposition, we will be launching new virtual / software appliances during the coming months that allow our customers to add more virtual machines on the same platform. After all, why run several Core Network Services on a large number of physical servers (or hardware-based appliances) on service per box basis, if a more elegant and cost-efficient outcome can be acchieved by consolidating servers using virtualization?
Welcome to the dawn of DNS virtualization!
As we have been curious about just how much people are having problems with home-grown DNS servers, our technical team did some analysis on different discussion topics at #centos channel on IRC. As it turned out, between 50-60% of all questions and problems presented on this IRC channel are related to how DNS (BIND) servers should be set up and configured appropriately. While our findings are by no means scientific, I don’t think I’m hugely off-base if I concluded that DNS seems to be causing headaches to many – after all, the same theme seems to pop up where ever one cares to look.
Considering the amount of problems people are having with setting up and configuring BIND servers, I wonder how much the world is spending on DNS each year. While the software (BIND) is free, installing and managing it isn’t. After all, if an average IT professional ends up spending several days or sometimes weeks working on a DNS server, the opportunity cost is pretty high. I actually took this up with IDC a while back and it seemed like they bought into my reasoning: the annual value of the DNS market consists mostly of simple x86 servers, manual labour, and associated overheads. Considering that there are 9 million public DNS servers out there and a large number of internal DNS servers, organizations and IT departments must be spending tens of billions of dollars on DNS each year without actually ever realizing where their money is going.
This is also why we think Nixu SNS is such an attractive proposition. As it installs the entire stack from OS to application automatically, is pre-configured securely, and provides software upgrades automatically at $495 (US) per year, how long do you think an average networking professional can afford to fine-tune and tweak his DNS servers at this cost? Not very long, not anywhere. That’s also why I would urge anyone having DNS headaches to try out the free trial of Nixu SNS.
Last Saturday (March 31) was the last day of our “Make Life Difficult for Blackhat Hackers” campaign. In summary, we had just a tad over 50,000 readers at this blog since the DDoS attack of early February. And so, I would like to say big thanks to everyone having taken part in the campaign!