About 75 percent of Domain Name System (DNS) servers in Australia and New Zealand are vulnerable to Denial-of-Service attacks and 55 percent may be compromised at the root level. The figures represent a considerable risk to many Web sites, according to Sydney-based security consultancy DeMorgan. DeMorgan scanned all DNS servers in the region -- that's a little over 8,500 systems -- and discovered most vulnerabilities were due to sheer laziness. Most problems can be fixed with a free software patch, but organisations have neglected the task for years, company founder and CIO Craig Wright told ZDNet Australia. Wright said he was shocked by the volume of vulnerabilities. "We expected to find maybe 25 or 30 percent of DNS systems vulnerable. instead we found over 80,000 domains at risk, including those run by government departments and large corporations." In some cases, an absent patch can lead to an intruder gaining shell-level access to systems, Wright said. DNS is the way domain names are translated into IP (Internet Protocol) addresses. It is fundamental to the way Internet users reach Web sites. One security threat for vulnerable DNS systems is that a hijacker could point a site's DNS to a proxy server, capture important information, then send data back to the genuine server with the interception unnoticed. "We know for a fact it has been done in Australia, but our clients don't want people to know about it," Wright said. Insecure DNS systems indirectly threaten other sites besides those they support, according to Wright. For example, "if you compromise a site with a particular host name, that in turn can be used to compromise trust relationships. Some government and commercial sites base their security on host authentication. It's not good practice, but people do it." "There are a lot of hosted sites out there relying on ISPs," and therefore the DNS systems ISPs are using. DeMorgan's staff of 18 conducted the audit over the weekend, after notifying some ISPs and the Australian Federal Police about the scan. The company today issued a report 'DNS Security in Australia' based on the experiment, and urged organisations to update vulnerable versions of DNS software immediately and to make sure systems are properly configured. "All it takes to fix the situation is to download a free patch and use it. Some companies haven't patched their systems in six years," Wright said. "We're not trying to flog encryption or sell software. It's in our constitution that if we sell software we make only AU$13.50 mark-up on it."