At least 10 percent of the internet's Domain Name System (DNS) servers are vulnerable to attack, says Infoblox.
The networking specialist commissioned a worldwide survey of public-facing internet nameservers and discovered that many servers have still not been protected, even though it's several months since the cache-poisoning vulnerabilities were disclosed and fixes made available.
"We estimate there's 11.9 million nameservers out there, and over 40 percent allow open recursion, so they accept queries from anyone. Of those, a quarter are not patched. So there's 1.3 million nameservers that are trivially vulnerable," said DNS expert and Infoblox vice president of architecture, Cricket Liu.
Other DNS servers may well allow recursion, but are not open to everyone, so they were not picked up by the survey, he said.
Liu said the cache-poisoning vulnerability, which is often named after Dan Kaminsky, the IOActive researcher who published details of it in July, is genuine: "Kaminsky was exploited within days of being made public," he said.
Modules targeting the vulnerability have been added to the hacking and penetration testing tool Metasploit, for instance. Ironically, one of the first DNS servers compromised by a cache poisoning attack was one used by Metasploit's author, HD Moore.
For now, the antidote to the cache-poisoning flaw is port randomisation. By sending DNS queries from varying source ports, this makes it harder for an attacker to guess which port to send poisoned data to.
However, this is only a partial fix, Liu warned. "Port randomisation mitigates the problem but it doesn't make an attack impossible," he said. "It is really just a stopgap on the way to cryptographic checking, which is what the DNSSEC security extensions do."
"DNSSEC is going to take a whole lot longer to implement though, as there's a lot of infrastructure involved - key management, zone signing, public key signing, and so on. We thought we might see a noticeable uptake in DNSSEC adoption this year, but we saw only 45 DNSSEC records out of a million sample. Last year we saw 44."
The survey also highlighted that the number of insecure Microsoft DNS Server systems connected to the internet has dropped from 2.7 percent of the total to 0.17 percent. Liu noted that these systems could well still be in use inside organisations, but said the important thing is that "people are shying away from connecting them to the internet".
Looking forward, Liu said that only organisations with a specific need for open recursive DNS servers - and the technical ability to keep them from being flooded - should run them.
"I would love to see the percentage of open recursive servers go down, because even if they're patched they make great amplifiers for denial-of-service attacks," he said. "We can't get rid of recursive servers, but you don't have to allow just anyone to use them."