Another side to the DNS problem for Web site owners

If you run a Web site, there is more than one issue with the DNS problem you need to be aware of.

Michael Horowitz
Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.


2 min read

The discussion to date about the latest DNS problem has been from the point of view of an end user, someone browsing Web sites. But there is another aspect to the DNS problem, one that concerns owners of Web sites.

This is discussed in a report from the IANA (Internet Assigned Numbers Authority), called Frequently Asked Questions on Cache Poisoning and Cross Pollination. The topic is a bit nerdy, so I'll try to explain it simply.

Some DNS server computers talk to you and me, while others talk to their fellow DNS servers. The DNS servers run by your ISP or by OpenDNS answer queries from Internet users, converting the name of computers into their underlying IP address (for more, see "What you need to know about the latest DNS flaw"). These are called "resolving" or "recursive" DNS servers.

When a resolving/recursive DNS server doesn't know the IP address for a given domain, it asks other DNS servers for help. The ultimate authority for translating a particular domain name into an IP address lies with the "authoritative" DNS servers for that domain. If, for example, a Web site is hosted with a Web site hosting company, the hosting company is responsible for running the authoritative DNS servers for all the sites they host.

Web site owners need to be concerned because the current bug in DNS only applies to resolving/recursive DNS servers, not to authoritative DNS servers. This is good news, but only if the authoritative DNS server is only being used as an authoritative source. If it is also being used to do resolving, then it can be hacked (often referred to as "poisoning").

Poisoning the DNS servers run by Comcast, for example, would affect all Comcast users who haven't switched to OpenDNS. Poisoning the authoritative DNS server for a domain affects the entire world. The patches for the DNS bug make it harder, but not impossible to poison DNS servers.

Fortunately, IANA has a very simple test that reports whether the authoritative DNS servers for a particular domain are configured to only do authoritative work (a good thing) or whether they also do resolving work.

The test is available at recursive.iana.org (see above). It is fairly self-explanatory. In the results, "Not recursive" is a good thing. Click here for a full-size screenshot of the test results.

Anyone involved in creating a Web site should run this test.

Thanks to Larry Seltzer for mentioning this in his blog, finding this report on the IANA Web site is all but impossible.
See a summary of all my Defensive Computing postings.