Bound by Tradition: A Sampling of the Security Posture of the Internet's DNS Servers

DNS servers across the Internet running BIND are not up to date with security patches and software updates. As a result, a significant fraction of the Internet's DNS servers is vulnerable to compromise, subversion, denial of service, and general misuse. Considering that DNS is the lynchpin of the corporate enterprise, the impact of these vulnerabilities is significant and a successful attack could bring down any online business.

Mike Schiffman

Bound by Tradition

My favorite response the paper has provoked

"...Having participated in an audit of BIND9 I think the bigger problem with it in terms of coding methodology was due to several people repeating efforts. The internal assert mechanism (their REQUIRE stuff) is done in no less than two ways, possibly four (I forget, I shoved this crap out of my mind as fast as possible). They redid getopt(). They redid a large amount of the inet* routines in the BSD C library. etc etc etc... Sure, some of this is for consistency and cross platform compatability, but some of this is sheer idiocy.

The authors of BIND, all versions, need to be paraded through the streets on their way to prison for crimes against humanity. I'm surprised their funding hasn't been revoked yet..."

- anonymous

Raw Data

• Scan totals [text] [gzip]

• Initial server list with country information [text] [gzip]

• Complete list of responses (initial responses are whitespace) [text] [gzip]

• Aggregated responses [text] [gzip]

• Aggregated BIND server responses [text] [gzip]

• Simplified BIND server responses [text] [gzip]

Charted Data

• BIND lines of source per version:

• BIND vulnerabilities per version:

• BIND lines of source per version with vulnerabilities:

• Overall Chaos class scanning results:

• BIND server distribution across the Internet:

• BIND server distribution across the Internet with vulnerabilities:

Back to Papers