A report on the patch-rate of Austrian nameservers
following announcement of the DNS cache poisoning vulnerabilty.
July, 24th 2008
Otmar Lendl and L. Aaron Kaplan
You can download the full document in pdf format
We also published a short update on July 28th.
This paper analyses the impact of the coordinated efforts to patch Austria's recursive DNS server
infrastructure following the revealings of Dan Kaminsky (US-CERT VU#800113) which showed
that almost all DNS servers on the Internet are vulnerable to DNS cache poisoning. CERT.at --
being run by nic.at, the Austrian domain registry -- is in a special position to be able to assess the
reaction of the Austrian nameserver operators to the discovered DNS vulnerability. We analyzed the
rate at which DNS servers were patched from an insecure to more secure state. The paper discusses
a methodology to measure the patch level "score" of a recursive DNS server. We believe that this
score methodology can be applied to cleanly discern patched from unpatched DNS servers.
We describe a methodology how a TLD operator can use his query logs to check which operators
have patched their DNS resolvers according to the published advisories.
The conclusions are rather grim so far -- more than two thirds of the Austrian Internet's recursive
DNS servers are unpatched while at the same time the upgrade adoption rate seems rather slow.
Our findings are matched by the observations of Alexander Klink of Cynops GmbH who analyzed
the results of the online vulnerability test on Dan Kaminsky's doxpara site.
We hereby present the information to the concerned public in the hope that DNS -- a central and
crucial part of the Internet -- remains secure.
Our recommendation to IT system administrators is to update their recursive DNS servers
immediately and check that their upgrades were successful.