CZ.NIC and SIS - Czech DNS servers are not adequately secure

Aug. 29, 2011

[Press Release] Workers on the security team of CSIRT.CZ, which is operated by the CZ.NIC association, uncovered approximately 1,500 DNS servers with a very low security level during an analysis of DNS operational data in the Czech Republic.


Prague, 29 August 2011 – Workers on the security team of CSIRT.CZ, which is operated by the CZ.NIC association, the administrator of .CZ domains, uncovered approximately 1,500 DNS servers with a very low security level during an analysis of DNS operational data in the Czech Republic. In the event of an attack, the users of these servers could be, for example, redirected to fraudulent websites and lose their login information, emails and other sensitive data. The cause of the weak security is a lack of basic security measures – random ports for outgoing queries. This enables attackers to successfully strike the server in a matter of seconds. Under a project created and implemented in cooperation with SIS, CZ.NIC will warn .CZ domain holders this problem concerns in a letter. The relevant state authorities will be contacted by specialists from the Security Information Service team.

The DNS system is one of the basic pillars of the Internet, one that the global computer network could hardly function without. Servers that do not use source port randomization for outgoing queries are exposed to a high risk of attack on the server's data buffer.

"We are currently sending warning letters to the first group of specific domain holders identified during a .CZ domain security campaign as having a low level of security on the DNS servers they utilize. The risk of attack is immediately reduced significantly by updating the DNS servers and securing them with DNSSEC technology. These warning letters also include an offer for special DNS and DNSSEC training courses intended mainly for ICT infrastructure administrators. Interested parties can find information on these courses on our Academy's website," explained Martin Peterka, head of the CSIRT.CZ security team.

Today's technology is able to provide a very high level of security for DNS servers. Port randomization for outgoing queries can only be achieved by updating the operator's software or by means of the proper configuration of servers and other network equipment.