The Domain Name Service (DNS) which translates names to IP addresses (among many other things) is critical for humans using the Internet. Research by Slavko Gajin and Petar Bojovic presented at the TERENA Networking Conference indicates that mis-configurations are more common than we might hope. Getting DNS right often requires different organisations to have matching configurations: if my name server says that part of the name space is delegated to your name server then your name server needs to agree! So it’s easy for human error creep in. Often the redundancy and resilience that we build into the DNS can hide these problems: so long as there is one way to resolve a name then users may only experience slowness or intermittent failures, which they may not report. Only when a component in that critical path fails will we discover that mis-configurations mean we have less resilience than we thought, after all our websites have become invisible and all e-mail is being returned as wrongly addressed.
Discovering these hidden problems requires a tool that checks all advertised routes to resolve a name, rather than just seeking out one working one. The University of Belgrade team have written such a tool and used it to check more than ten thousand domains across European NRENs. As well as looking for errors that may cause DNS to be less reliable than intended they investigated support for DNSSEC and IPv6, as well as servers that provided public zone transfers or open recursion that can be used by attackers. It is good to see evidence of Janet CSIRT’s recent campaign to reduce the number of open recursive resolvers, in that the percentage of servers in .ac.uk is lower than many other networks. However it is still well above zero! Results per NREN for various tests are shown in the slides: to check your own domain a web interface to the tool is available at http://live.icmynet.com/icmynet-dns