Internet Domain Name Servers Get More Security

To make the 13 computer servers that run the Internet's core addressing system more secure, the two machines operated by VeriSign in the US have been physically and electronically separated to make them less vulnerable to attack.

Cheryl Regan, a spokeswoman for the Mountain View, California-based trust, security and Internet infrastructure company, acknowledged that the two US Domain Name System (DNS) servers were reconfigured earlier this week as part of a planned safety enhancement to the system.

Previously, both DNS servers in the US were located in the same room of a VeriSign building in Virginia. Both DNS servers were also previously set up on the same system subnet, making them both vulnerable to attacks at the same time.

The DNS servers take easy-to-remember Web site domain names, such as, and convert them into the numerical IP addresses used by computers. A distributed denial-of-service (DDOS) attack occurs when too much traffic is sent to the servers by an attacker, overloading the server so that it can no longer respond to legitimate requests.

Now, one of the two servers has been relocated to a different location in Virginia, and the two machines are on separate subnets, improving their resistance to attacks by hackers, she said.

"It was a defensive move," Regan said. "We want to reduce the potential risk of two servers failing" in one DDOS attack. The other 11 DNS servers in the Internet system are operated by other groups around the world.

Ironically, just that kind of attack occurred last month, when all 13 of the Internet's root DNS servers were hit by a massive DDOS attack on October 21. About eight or nine of the servers were disabled by the attack, which lasted about an hour.

Regan said this week's system changes had been planned for months, long before the October attack, and weren't a reaction to that incident. VeriSign, which runs the two US DNS servers on behalf of the US Department of Commerce, had asked the Commerce Department for permission in August to make the changes, and the request was granted on Monday, she said.

Security analysts said the change is a good initial step in tightening the security of the Internet's infrastructure.

Alan Paller, research director of the Bethesda, Maryland-based SANS Institute, a security research and education group, called the relocation of one of the two US DNS servers "a good small step."

"It makes sense to have separation of the systems," Paller said. Even more important, he said, are the changes needed that could help block DDOS attacks as they begin through the systems run by Internet service providers, before they even reach the Internet backbone. "I see a lot of work being done in that area," Paller said.

Charles Kolodgy, a security analyst at IDC (US) said the VeriSign configuration changes are also a good idea in terms of disaster recovery. In the event of a fire, earthquake or even terrorism, not having both machines in the same location means critical redundancy is established that can help maintain the integrity of the system, he said.

"I would say it would have had to have been planned for a while," he said of the changes made this week.

Kolodgy said similar DDOS attack lessons were learned last year by Microsoft, when the company had all four of its own DNS servers located on one network, just like the previous VeriSign configuration. A hacker attack in January 2001, crippled Microsoft's name servers for days because they had been assembled as one system, rather than with redundant capacity.

Such lessons are good to remember, Kolodgy said.

"They got lucky with the DDOS [attack] recently," he said of VeriSign and the other DNS server operators around the world. "Now they're just trying to make it harder."

Copyright © 2002 IDG Communications, Inc.

The 10 most powerful cybersecurity companies