Another side to the DNS problem for Web site owners

If you run a Web site, there is more than one issue with the DNS problem you need to be aware of.

The discussion to date about the latest DNS problem has been from the point of view of an end user, someone browsing Web sites. But there is another aspect to the DNS problem, one that concerns owners of Web sites.

This is discussed in a report from the IANA (Internet Assigned Numbers Authority), called Frequently Asked Questions on Cache Poisoning and Cross Pollination. The topic is a bit nerdy, so I'll try to explain it simply.

Some DNS server computers talk to you and me, while others talk to their fellow DNS servers. The DNS servers run by your ISP or by OpenDNS answer queries from Internet users, converting the name of computers into their underlying IP address (for more, see " What you need to know about the latest DNS flaw "). These are called "resolving" or "recursive" DNS servers.

When a resolving/recursive DNS server doesn't know the IP address for a given domain, it asks other DNS servers for help. The ultimate authority for translating a particular domain name into an IP address lies with the "authoritative" DNS servers for that domain. If, for example, a Web site is hosted with a Web site hosting company, the hosting company is responsible for running the authoritative DNS servers for all the sites they host.

Web site owners need to be concerned because the current bug in DNS only applies to resolving/recursive DNS servers, not to authoritative DNS servers. This is good news, but only if the authoritative DNS server is only being used as an authoritative source. If it is also being used to do resolving, then it can be hacked (often referred to as "poisoning").

Poisoning the DNS servers run by Comcast, for example, would affect all Comcast users who haven't switched to OpenDNS. Poisoning the authoritative DNS server for a domain affects the entire world. The patches for the DNS bug make it harder, but not impossible to poison DNS servers.

Fortunately, IANA has a very simple test that reports whether the authoritative DNS servers for a particular domain are configured to only do authoritative work (a good thing) or whether they also do resolving work.


The test is available at recursive.iana.org (see above). It is fairly self-explanatory. In the results, "Not recursive" is a good thing. Click here for a full-size screenshot of the test results.

Anyone involved in creating a Web site should run this test.

Thanks to Larry Seltzer for mentioning this in his blog, finding this report on the IANA Web site is all but impossible.
See a summary of all my Defensive Computing postings.

Featured Video
6
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Top 5: Cars with best resale value

Brian Cooley runs down the top five US automobiles with the best resale value in 2015, five years after original sale.

by Brian Cooley