BIND 9, one of the core technologies behind DNS servers, by default has recursive look ups enabled. This means that the DNS server will query another server looking for the answer to a look up. This technology should only be enabled in situations where the network administrators have complete control, IE corporate networks for internal services and internal domains.

On the public Internet side of things, recursive look ups allow for hackers to create massive poisoning attacks. By simply infecting or compromising one machine and then interfering with the recursive look up, hackers can take full advantage of this exploit and create massive man-in-the-middle scams.

The article, available here describes the increase in reliance on BIND 9 vs. 8 and how this increase has created high vulnerabilities. What is even more worrisome about this piece is the ease of work necessary to correct the problem.

DNS Administrators, get to work!