In working with many online merchants that accept credit card payments online, it has come to my attention that GoDaddy DNS servers are not PCI compliant, and they also fail PCI compliance tests on several different levels. The GoDaddy DNS servers failed the DNS Amplification Denial of Service test as conducted by TrustKeeper. I’ve included the specifics of the test results and failure message below.

DNS Amplification Denial of Service

The DNS server answers all queries, providing additional delegation information to arbitrary IP addresses. It is possible to send a query for the root zone (.) to the DNS server, and get an answer that is much larger than the query (often more than 20 times in size). An attacker could spoof the source IP address of the query, causing the DNS server to respond to the source IP with the larger answer. An attacker could focus these answers on a single target, resulting in a Denial of Service for that IP. Additionally, the amplification attack represents a risk to the DNS server in the form of Denial of Service. The server would have reduced ability to respond to legitimate DNS queries due to consumed system resources and and higher network traffic levels. Verification of this must be done from an host that is not on the network/intranet of the DNS server. Command to verify from a UNIX based system: ‘dig -t NS . @IP.OF.DNS.SERVER’ or ‘host -v -t NS . IP.OF.DNS.SERVER’. On Windows, run ‘nslookup -type=NS . IP.OF.DNS.SERVER’. If the response received includes answer and additional sections that lists a number of hosts (often on ‘root-servers.net’), then the system is vulnerable. The SANS Internet Storm Center has also provided an online tool to verify this issue (see the link to sans.org in the references).
Note: Vulnerabilities which result only in denial of service do not affect PCI compliance; however, they may still be critical to your systems.

Service: -
CVE: CVE-2006-0988, CVE-2006-0987
NVD: CVE-2006-0988, CVE-2006-0987
Reference: http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
Reference: http://isc.sans.org/dnstest.html
Reference: http://isc.sans.org/diary.html?storyid=5713
Reference: http://www.nabble.com/ISC-BIND-Amplification-Attacktd21670165.html
Reference: http://zytrax.com/books/dns/ch7/