New findings by researchers at the Georgia Institute of Technology and Google on a malicious DNS-related attack have stirred some debate over whether open recursive DNS servers are inherently insecure.

DNS servers basically translate domain names, like, into IP addresses so that computers can find one another. Recursive DNS servers respond to DNS lookup requests from any machine on the Internet. The researchers found an increase in corrupted DNS servers that send clients to malicious sites, and concluded that the large number of open recursive DNS servers on the Net could ultimately be compromised and used as part of a malicious DNS infrastructure that routes users to phishing sites and other bad places.

But David Ulevitch, CEO of OpenDNS, which offers a free open recursive DNS service, says the report is flawed because it points the finger only at open recursive DNS servers. (Closed recursive servers are only accessible to users on a specific network.) "The data they collected may have been accurate, but their interpretations of it are as far off base as you can get," Ulevitch says. "They drew the conclusions that open recursive names servers on the Net are enabling a new form of phishing. That’s wrong."

Ulevitch argues that some DNS name servers on the Net indeed do get compromised and provide malicious results to users. But it’s not just the open recursive DNS servers: "All they [the researchers] were able to test were the open ones," Ulevitch says. "[But] being open has nothing to do with being compromised. Any name server can be compromised."

The new form of DNS threat is dubbed "DNS resolution path corruption" by the researchers: David Dagon, Chris Lee, and Wenke Lee of Georgia Tech and Google’s Niels Provos. They will present their findings in February at the Network and Distributed System Security Symposium (NDSS) in San Diego.

The researchers found somewhere around 17 million open-recursive DNS servers on the Net, and discovered that about .4 percent, or 68,000 of them, are performing malicious operations by answering DNS queries with false information that sends them to malicious sites. About 2 percent are returning suspicious results, they reported.

But even legitimate open recursive servers can sometimes appear to be acting unusually or maliciously, security experts say.

One such example is OpenDNS’s servers, which correct fat-fingering mistakes from sending a user to a typo-squatter’s site as well as block unwanted sites. "The problem is that they [the researchers] are referring to those changes in DNS responses as malicious. We are blocking adult and phishing sites," OpenDNS’s Ulevitch says.

In this type of attack, the client machine first would get infected via a tainted Website or by clicking on a malicious attachment that runs an exploit, according to the researchers. The user’s machine would then be directed to visit the bad guy’s DNS server, and the attacker could direct the victim to some correct Websites so as not to arouse suspicion, as well as phishing sites, for instance.

Such an attack could help a botmaster consolidate his bot assets more easily and quietly, says Bill Guerry, vice president of product management for Damballa, the company Dagon and Wenke co-founded. Guerry noted that the new research is not Damballa’s, but that of the Georgia Tech and Google researchers.

"All of this is very real," says Paul Parisi, CTO for, which has filed for a patent for a new technology that could help detect online fraud before it actually occurs by checking a user’s DNS settings
They [the researchers] are basically saying that by a bot or some other means, a user’s DNS settings get changed," he says.’s new technology would detect that a user’s DNS settings had been changed, and alert him, Parisi says.

Meanwhile, misconfigured Internet-facing DNS servers are a common problem. A recent survey conducted by DNS vendor Infoblox and The Measurement Factory found that organizations aren’t properly configuring their DNS servers for security. Recursive queries and zone transfers — two features that can be exploited by an attacker — are allowed by more than half of the servers and 31 percent, respectively.