More than one in four DNS servers have not been upgraded to the latest DNS software to protect against the recently discovered Kaminsky vulnerability and associated risk of DNS cache poisoning.

Infoblox announced results from the fourth-annual survey of domain name servers on the public Internet and found that many organizations are still leaving their DNS systems as potential victims of attack.

Cricket Liu, Vice President of Architecture at Infoblox said that even if an enterprise has gone to the trouble of patching against the Kaminsky vulnerability, there are many other aspects of configuration, like recursion and open zone transfers, that should also be secured.

He said that organisations were locking their door to their house, but leaving the windows wide open by not fixing such flaws.

Liu added that organisations clearly need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages.

The survey showed that  90% of name servers that run BIND run one of the most recent versions of BIND 9.  Only a small but significant number of administrators continue to run older versions of BIND on Internet-facing name servers and putting their organisations at risk. However, one in four DNS servers does not perform source port randomisation which is the "patch" for "the Kaminsky vulnerability".  This means that they are very vulnerable to cache poisoning.

More than 40% of Internet name servers allow recursive queries which means they are a danger both to themselves and others because they are vulnerable to cache poisoning and Distributed Denial of Service attacks.

The survey found that 30% of DNS servers allow zone transfers to arbitrary requestors which meant they were easy targets for denial-of-service attacks. X