Another side to the DNS problem for Web site owners

The discussion to date about the latest DNS problem has been from the point of view of an end user, someone browsing Web sites. But there is another aspect to the DNS problem, one that concerns owners of Web sites.

This is discussed in a report from the IANA (Internet Assigned Numbers Authority), called Frequently Asked Questions on Cache Poisoning and Cross Pollination. The topic is a bit nerdy, so I'll try to explain it simply.

Some DNS server computers talk to you and me, while others talk to their fellow DNS servers. The DNS servers run by your ISP or by OpenDNS answer queries from Internet users, converting the name of computers into their underlying IP address (for more, see "What you need to know about the latest DNS flaw"). These are called "resolving" or "recursive" DNS servers.

When a resolving/recursive DNS server doesn't know the IP address for a given domain, it asks other DNS servers for help. The ultimate authority for translating a particular domain name into an IP address lies with the "authoritative" DNS servers for that domain. If, for example, a Web site is hosted with a Web site hosting company, the hosting company is responsible for running the authoritative DNS servers for all the sites they host.

Web site owners need to be concerned because the current bug in DNS only applies to resolving/recursive DNS servers, not to authoritative DNS servers. This is good news, but only if the authoritative DNS server is only being used as an authoritative source. If it is also being used to do resolving, then it can be hacked (often referred to as "poisoning").

Poisoning the DNS servers run by Comcast, for example, would affect all Comcast users who haven't switched to OpenDNS. Poisoning the authoritative DNS server for a domain affects the entire world. The patches for the DNS bug make it harder, but not impossible to poison DNS servers.

Fortunately, IANA has a very simple test that reports whether the authoritative DNS servers for a particular domain are configured to only do authoritative work (a good thing) or whether they also do resolving work.

The test is available at recursive.iana.org (see above). It is fairly self-explanatory. In the results, "Not recursive" is a good thing. Click here for a full-size screenshot of the test results.

Anyone involved in creating a Web site should run this test.

Thanks to Larry Seltzer for mentioning this in his blog, finding this report on the IANA Web site is all but impossible.
See a summary of all my Defensive Computing postings.

[Dalkorian]

I don't know about this, every single domain I tested came back as safe and not recursive (possible, but I checked a lot and expected some to be recursive). Better tests are:

http://www.doxpara.com/ (horse's mouth)

https://www.dns-oarc.net/oarc/services/dnsentropy (2 sources are better than 1!)

[mhinnewyork]

@dalkorian: There are two different issues here. The tests you refer to test whether the DNS server your computer is using has been patched or not. That's simply testing the the recusive function. The test from IANA checks whether the authoritative DNS server for the domain is also performing recursive functions. Apples and oranges. Michael Horowitz

[danxy]

I've found authorative DNS servers that are vulnerable. I don't want to give them out, but here's the message: Highly vulnerable. The servers tested for (DELETED).COM appear highly vulnerable to cache poisoning. Immediate action should be taken to rectify the problem.

This is a good test for authoritative DNS servers, but not for caching DNS servers.

[mhinnewyork]

@danxy: If the vulnerable websites (really domains as email would be vulnerable too) are under your control, you may want to move them to another hosting company. I would if they were mine. Michael Horowitz