Jake Paul vs. Ben Askren fight memes LG G1 OLED TV review SpaceX to send Artemis astronauts to moon Game of Thrones at 10 Apple's April 20 iPad event Child tax credit's monthly check

Another side to the DNS problem for Web site owners

If you run a Web site, there is more than one issue with the DNS problem you need to be aware of.

The discussion to date about the latest DNS problem has been from the point of view of an end user, someone browsing Web sites. But there is another aspect to the DNS problem, one that concerns owners of Web sites.

This is discussed in a report from the IANA (Internet Assigned Numbers Authority), called Frequently Asked Questions on Cache Poisoning and Cross Pollination. The topic is a bit nerdy, so I'll try to explain it simply.

Some DNS server computers talk to you and me, while others talk to their fellow DNS servers. The DNS servers run by your ISP or by OpenDNS answer queries from Internet users, converting the name of computers into their underlying IP address (for more, see "What you need to know about the latest DNS flaw"). These are called "resolving" or "recursive" DNS servers.

When a resolving/recursive DNS server doesn't know the IP address for a given domain, it asks other DNS servers for help. The ultimate authority for translating a particular domain name into an IP address lies with the "authoritative" DNS servers for that domain. If, for example, a Web site is hosted with a Web site hosting company, the hosting company is responsible for running the authoritative DNS servers for all the sites they host.

Web site owners need to be concerned because the current bug in DNS only applies to resolving/recursive DNS servers, not to authoritative DNS servers. This is good news, but only if the authoritative DNS server is only being used as an authoritative source. If it is also being used to do resolving, then it can be hacked (often referred to as "poisoning").

Poisoning the DNS servers run by Comcast, for example, would affect all Comcast users who haven't switched to OpenDNS. Poisoning the authoritative DNS server for a domain affects the entire world. The patches for the DNS bug make it harder, but not impossible to poison DNS servers.

Fortunately, IANA has a very simple test that reports whether the authoritative DNS servers for a particular domain are configured to only do authoritative work (a good thing) or whether they also do resolving work.

The test is available at recursive.iana.org (see above). It is fairly self-explanatory. In the results, "Not recursive" is a good thing. Click here for a full-size screenshot of the test results.

Anyone involved in creating a Web site should run this test.

Thanks to Larry Seltzer for mentioning this in his blog, finding this report on the IANA Web site is all but impossible.
See a summary of all my Defensive Computing postings.