Skip to main content

ICANN Highlights Domain Name System Vulnerability; Releases Tools | ICANN aims to raise awareness of critical Internet security issue

This page is available in:

MARINA DEL REY, Calif.: The Internet Corporation for Assigned Names and Numbers is raising awareness of a recently discovered vulnerability in the domain name system (DNS). This includes releasing an FAQ and an online tool for domain operators to test their domains.

Due to the distributed nature of the DNS, no one organization can implement a fix for this vulnerability. It requires the cooperation of all name server operators and DNS software vendors. However, ICANN sees an important goal in spreading awareness of the need to update Internet infrastructure to cope with the threat. The organization has been undertaking significant outreach efforts to top-level domain operators to advise them on the issue. It has also prepared an FAQ and online domain testing tool to raise awareness of the problem, and to encourage network operators to rectify or update their servers.

Summary of Cache Poisoning Issue

Security researcher Dan Kaminsky recently discovered a design flaw in the fundamental DNS protocol. While it is not possible to fully fix this flaw, there are ways to improve resistance to it. This involves system administrators patching or reconfiguring their DNS servers.

The vulnerability affects what are called "recursive" name servers, typically installed at ISPs and corporate network gateways to assist DNS lookups and cache results for faster lookups, rather than the type of name servers used by domain registries which are "authoritative" name servers.

However, name servers can be configured to perform both "recursive" and "authoritative" functions from the same machine, and by doing so the susceptible recursive function can cause security risks for the authoritative function.

For domain operators

For operators of domain names, this vulnerability can be used to affect the contents of their zone if their authorities also provide recursive name service. To detect whether a particular zone is vulnerable, ICANN has produced a tool that can check a particular domain:

Domain operators should look to ensuring that all of the authoritative name servers for their domain are separated from any recursive name servers to avoid being impacted by cache poisoning attacks.

ICANN has also produced a set of question and answers on this topic for domain operators, which is available at:

For Internet users

For most users it is important to ensure the DNS servers their computer uses to look up domains has been patched to enable "source port randomization". To check if this change has been made by your Internet provider one can go to an online testing tool provided by the DNS Operations, Analysis and Research Center at:

To be guarded against the vulnerability, the test result should return as "Great". If you do not get such a result your should talk to your network administrator (typically your ISP, or your company’s IT department) and advise them to update their recursive name servers.

About ICANN:

ICANN is responsible for the global coordination of the Internet's system of unique identifiers like domain names (like .org, .museum and country codes like .uk) and the addresses used in a variety of Internet protocols that help computers reach each other over the Internet. Careful management of these resources is vital to the Internet's operation, so ICANN's global stakeholders meet regularly to develop policies that ensure the Internet's ongoing security and stability. ICANN is an internationally organized, public benefit non-profit company. For more information please visit: .

Media Contacts:

Jason Keenan
Media Adviser, ICANN
Ph: +1 310 382 4004

International: Andrew Robertson
Edelman (London)
Ph: +44 7921 588 770

More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."