Let me bore you a few minutes with something not so trivial about DNS (Domain Name System). DNS is where all those lookups take place that convert hostnames to IP addresses. A hostname is a name you can more easily remember than the IP address, for instance telling someone in a radio commercial to visit your website at http://220.127.116.11 would be a lot more difficult than saying www.CoolSite.com.
Think of an IP (Internet Protocol) address as a phone number. It is a numerical address that points to one particular server or device generally. While the hostname is the alias for it, and it may actually point to several IPs to help in load balancing, etc.
Putting in a DNS query (or a DNS lookup) for www.Google.com will return a series of IP addresses. Your browser will go to one of those. Consider the DNS lookup to be calling 411 for the phone number. All this takes place in the background, in fractions of seconds and when it is working correctly, the website you want pops up in your browser.
While not something that the average computer user is aware of, those in the IT field have been anticipating this for a while now. The way DNS is handled on the internet is about to change, and for the better, we hope. Currently DNS, is vulnerable to what is known as a man-in-the-middle attack, also known as a “Kaminsky exploit”, which allows a bad guy to poison the DNS lookup tables, giving false responses to your queries. This is bad.
The solution is to transition to DNSSEC, which is happening on the major (root) servers on May 5th, 2010. This is where the trouble may start. DNSSEC adds a little bit of data to the standard DNS query. This data contains a digital signature and the packet size grows to a size that may cause some network devices to reject the packet due to the size exceeding the 512 byte limit that is programmed into the configurations and firmware of some older gear.
What does this mean exactly? That some people, some organizations, etc, may experience some issues with DNS. Vague enough for you? Just keep this in mind. If on May 5th or afterwards, you experience the inability to get to websites or send mail, it could be due to DNS issues with you, or even your upstream DNS server. There’s no need to panic though because there is a fix for everything.
As always, we should you require assistance with your computer, server, firewall, or other network equipment, call us and we will take care of you.
If you would like to test your network in advance of May 5th, please visit this site: https://www.dns-oarc.net/oarc/services/replysizetest or we can do that for you if you wish.