NordVPN Promotion

Home / Blogs

Survey Results Expose Widespread DNS Vulnerabilities

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

The Measurement Factory and Infoblox have announced results of a survey of more than 1.3 million Internet-connected, authoritative domain name system (DNS) servers around the globe. The results of the survey indicate that as many as 84 percent of Internet name servers could be vulnerable to pharming attacks, and that many exhibit other security and deployment-related vulnerabilities.

The surveys consisted of several queries directed at each of a large set of external DNS servers to estimate the number of systems deployed today and determine specific configuration details.

The survey results revealed that many organizations often disregard these critical systems, which perform the functions necessary to make their presence available and accessible on the Internet. The Internet Systems Consortium’s BIND software, which performs the domain name resolution function, is often out of date, opening the door to malicious attacks. And, the systems are sometimes mis-configured, potentially compromising network availability.

Following is a summary of the significant survey results:

  • There are an estimated 7.5 million external DNS servers on the public Internet
  • Over 75% domain name servers (of roughly 1.3 million sampled) allow recursive name service to arbitrary queriers. This opens a name server to both cache poisoning and denial of service attacks.
  • Over 40% allow zone transfers from arbitrary queriers. This exposes a name server to denial of service attacks and gives attackers information about internal networks.
  • In almost 33% of the cases, all authoritative name servers for a zone were on the /24 same subnetwork. This leaves network open to accidental and deliberate denial of service attacks.
  • Only 60% of the name server records delegating each zone matched the intrazone name server records . Mis-matched records may decrease the number of servers available for resolution, reduce redundancy, increase load, and leave a zone susceptible to denial of service attacks.
  • 57% run the most recent, secure versions of BIND (9.x)

To view the complete survey results, visit:
http://dns.measurement-factory.com/surveys/sum1.html

Filed Under

Comments

Mark Foster  –  Oct 27, 2005 2:53 PM

In October of 2003 a similar survey[1] was perform against the root-zone-listed nameservers. The results were similar - recursion is allowed on way too many root-listed nameservers and zone transfers are not restricted. Because of the hierarchical nature of DNS, this is arguably a bigger/nastier problem since, although someone can (easily) secure their own name server against recursion (threat = cache poisoning) and zone transfers (threat = unintended disclosure), the upstream name server could get poisoned and that poisoning could trickle down.
[1] http://www.credentia.cc/research/dns/cctlds/report-2003-Oct.html

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

NordVPN Promotion