Study: Vulnerable DNS software widely used

Many large companies use vulnerable versions of software that maps text-based Internet domain names to numeric IP (Internet Protocol) addresses, putting them at risk of becoming unreachable on the Internet.

About 14 percent, or 139, of Fortune 1000 companies run a version of BIND (Berkeley Internet Name Domain) DNS (Domain Name System) software with known vulnerabilities, according to a test conducted late last week, at the request of the IDG News Service, by DNS software and consultancy firm Men & Mice Inc. of Reykjavik, Iceland.

About half of the vulnerable companies run BIND 9 prior to version 9.2.1, recently found to be vulnerable to a denial of service attack. The U.S. Computer Emergency Response Team (CERT) warned of the flaw last Tuesday and urged users to either patch the flaw or upgrade to BIND 9.2.1, which was released on May 1. BIND is distributed for free by the Internet Software Consortium.

If all of a company’s DNS servers go down, the company would effectively disappear from the Internet. The company’s Web site becomes unreachable and inbound e-mail sent to the affected domain will bounce back.

Experts advise users to diversify and to make sure that DNS servers are located in different network segments.

“Having some of the name servers running a vulnerable version of BIND constitutes a security threat, having all the name servers run vulnerable BIND is a severe security threat that could turn into a million dollar disaster,” said Men & Mice Chief Executive Officer Petur Petursson, adding that 35 of the Fortune 1000 use multiple vulnerable BIND versions.

The vast majority of DNS servers run BIND, and this lack of diversity makes DNS a weak link in the Internet’s infrastructure, according to Men & Mice. The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees the Internet’s addressing system, has formed a security committee aimed, in part, at examining DNS security holes.