Another side to the DNS problem for Web site owners
If you run a Web site, there is more than one issue with the DNS problem you need to be aware of.
The discussion to date about the latest DNS problem has been from the point of view of an end user, someone browsing Web sites. But there is another aspect to the DNS problem, one that concerns owners of Web sites.
This is discussed in a report from the IANA (Internet Assigned Numbers Authority), called Frequently Asked Questions on Cache Poisoning and Cross Pollination. The topic is a bit nerdy, so I'll try to explain it simply.
Some DNS server computers talk to you and me, while others talk to their fellow DNS servers. The DNS servers run by your ISP or byanswer queries from Internet users, converting the name of computers into their underlying IP address (for more, see " "). These are called "resolving" or "recursive" DNS servers.
When a resolving/recursive DNS server doesn't know the IP address for a given domain, it asks other DNS servers for help. The ultimate authority for translating a particular domain name into an IP address lies with the "authoritative" DNS servers for that domain. If, for example, a Web site is hosted with a Web site hosting company, the hosting company is responsible for running the authoritative DNS servers for all the sites they host.
Web site owners need to be concerned because the current bug in DNS only applies to resolving/recursive DNS servers, not to authoritative DNS servers. This is good news, but only if the authoritative DNS server is only being used as an authoritative source. If it is also being used to do resolving, then it can be hacked (often referred to as "poisoning").
Poisoning the DNS servers run by Comcast, for example, would affect all Comcast users who haven't switched to OpenDNS. Poisoning the authoritative DNS server for a domain affects the entire world. The patches for the DNS bug make it harder, but not impossible to poison DNS servers.
Fortunately, IANA has a very simple test that reports whether the authoritative DNS servers for a particular domain are configured to only do authoritative work (a good thing) or whether they also do resolving work.
Anyone involved in creating a Web site should run this test.