SANTA CLARA, Calif., (October 9, 2006) - Infoblox Inc., a developer of essential infrastructure for identity-driven networks (IDNs), and The Measurement Factory, experts in performance testing and protocol compliance, today announced availability of the “2006 DNS Report Card”, featuring results of their second-annual survey of domain name servers (DNS) on the public Internet. In related news, Infoblox also announced today availability of Cricket Liu’s DNS Advisor, a free online tool that assesses an organization’s external DNS systems and provides a report that includes helpful advice for improvement. 

DNS servers are essential network infrastructure that map domain names (e.g., yahoo.com) to IP addresses (e.g., 66.94.234.13), directing Internet inquiries to the appropriate location. Domain name resolution conducted by these servers is required to perform any Internet-related request. Should an enterprise or organization’s DNS systems fail, all Internet functions, including email, web access, e-commerce, and extranets become unavailable. 

The DNS survey provides an estimate of the total number of DNS servers deployed and also examines the configuration of servers that are scanned. It was based on a sample that included 5 percent of the IPv4 address space – nearly 80 million devices. The results were categorized in 3 areas, covering DNS infrastructure, security, and adoption of new applications. By comparing results from the 2006 survey with those compiled in the 2005 survey, a picture of key trends emerges. Highlights of the results include the following: 

DNS Infrastructure Earns a “B” Grade 
• Total number of external DNS servers grew 20 percent, from 7.5 million in 2005 to 9 million in 2006. Most of the growth appeared to come from developing economies, and many of the new servers are embedded in access devices, such as cable modems and DSL routers. 
• Use of BIND 9 – the most recent and secure version of open-source domain name server software – grew from 58 percent of the total in 2005 to 61 percent in 2006, implying that organizations are paying attention to the version of BIND they are running and that they are increasingly aware of related security issues. 
• Use of BIND 8 – an older version of DNS software – decreased by 30 percent from 20 percent (2005) to 14 percent (2006), indicating that many organizations are making the effort to deploy the most reliable and secure DNS implementations. 
• Use of the Microsoft DNS Server decreased by 50 percent from 10 percent to 5 percent of the total in 2006, perhaps reflecting concerns over risks associated with deploying Microsoft Windows servers that are exposed to the public Internet. 

DNS Security Barely Passes with a “D+” Grade 
• More than 50 percent of Internet name servers allow recursive name services – a form of name resolution that often requires a name server to relay requests to other name servers – leaving many networks vulnerable to pharming attacks and enabling their servers to be used in DNS amplification attacks that can take down important DNS infrastructure. 
• Over 29 percent of DNS servers surveyed allow zone transfers to arbitrary queriers, enabling duplication of an entire segment of an organization’s DNS data from one DNS server to another and leaving them easy targets for denial of service attacks. 

Security researcher Dan Kaminsky, who has spent several years investigating security and reliability issues in the Internet's Domain Name System, commented: “People tend to take DNS for granted, but if it goes down, so does your network. As Infoblox’s data shows, there are indeed organizations that should take urgent action to bolster their DNS infrastructure.” 

Cricket Liu, vice president of architecture at Infoblox and author of O’Reilly & Associates’ DNS and BIND, DNS & BIND Cookbook, and DNS On Windows Server 2003, commented, “While there have been improvements, organizations still need to be cognizant that without proper configuration and management, their DNS infrastructures are likely to be vulnerable to attack and brittle in the face of common outages. All organizations should assess their DNS systems and immediately take the necessary steps to make them reliable and secure.” 

Cricket Liu’s DNS Advisor Helps Organizations Identify Specific Vulnerabilities 
Now available on the Infoblox website is the Cricket Liu DNS Advisor tool, designed to identify DNS infrastructure vulnerabilities and configuration deficiencies. The tool tests for a variety of DNS-related variables, including the following: 

• Single points of failure, which can compromise network availability; 
• Mis-configured or poorly operating name servers that can compromise network availability and pose a security risk; 
• Unsecured zone transfers that can expose name servers to denial of service attacks; 
• IP address/name inconsistency which can result in network management confusion; 
• Outdated BIND versions that leave networks vulnerable to a variety of known attacks; and 
• Unsecured recursive queries that leave name servers vulnerable to DNS cache poisoning and denial of service attacks. 

According to Liu, there are several simple steps and deployment best practices that enterprises can take to address DNS vulnerabilities and configuration issues, such as those tested above: 

1. On external authoritative name servers, disable recursion. On forwarders, allow only queries from your internal address space. 
2. If you can’t split your authoritative name servers and forwarders, restrict recursion as much as possible. Only allow recursive queries if they come from your internal address space. 
3. Use hardened, secure appliances that enable easy upgrades instead of systems based on general-purpose servers and operating software applications. 
4. Make sure you run the latest version of your domain name server software. 
5. Filter traffic to and from your external name servers. Using either firewall- or router-based filters, ensure that only authorized traffic is allowed between your name servers and the Internet. 

To view the complete 2006 DNS Report Card, access the Infoblox DNS Advisor Tool and find more DNS Best Practices to address vulnerabilities, visit: http://www.infoblox.com/library/dns_resources.cfm. 

About Infoblox 
Infoblox develops essential infrastructure used for establishing identity-driven networks (IDNs). Infoblox network identity appliances deliver nonstop DNS, DHCP, IPAM, RADIUS and related services with unparalleled reliability, manageability, scalability and security. Over 1,200 organizations worldwide, including many of the Fortune 500, use Infoblox solutions for the critical naming, authentication, authorization and IP management services that make their networks secure, robust, manageable and compliant. The company is headquartered in Santa Clara, CA and operates in more than 30 countries. For more information, call +1.408.625.4200, email info@infoblox.com, or visit www.infoblox.com.  

About The Measurement Factory 
The Measurement Factory provides a variety products and services related to Internet testing and measurement, with a current focus on DNS, HTTP, and ICAP. Most of the Factory’s products are available under open-source licenses. For more information, call +1-303-938-6863, email info@measurement-factory.com, or visit www.measurement-factory.com.