Patching Nameservers: Austria reacts to VU#800113
A report on the patch-rate of Austrian nameservers following announcement of the DNS cache poisoning vulnerabilty.
July, 24th 2008
Otmar Lendl and L. Aaron Kaplan
You can download the full document in pdf format here.
We also published a short update on July 28th.
This paper analyses the impact of the coordinated efforts to patch Austria's recursive DNS server infrastructure following the revealings of Dan Kaminsky (US-CERT VU#800113) which showed that almost all DNS servers on the Internet are vulnerable to DNS cache poisoning. CERT.at -- being run by nic.at, the Austrian domain registry -- is in a special position to be able to assess the reaction of the Austrian nameserver operators to the discovered DNS vulnerability. We analyzed the rate at which DNS servers were patched from an insecure to more secure state. The paper discusses a methodology to measure the patch level "score" of a recursive DNS server. We believe that this score methodology can be applied to cleanly discern patched from unpatched DNS servers.
We describe a methodology how a TLD operator can use his query logs to check which operators have patched their DNS resolvers according to the published advisories.
The conclusions are rather grim so far -- more than two thirds of the Austrian Internet's recursive DNS servers are unpatched while at the same time the upgrade adoption rate seems rather slow. Our findings are matched by the observations of Alexander Klink of Cynops GmbH who analyzed the results of the online vulnerability test on Dan Kaminsky's doxpara site.
We hereby present the information to the concerned public in the hope that DNS -- a central and crucial part of the Internet -- remains secure.
Our recommendation to IT system administrators is to update their recursive DNS servers immediately and check that their upgrades were successful.