US government Web sites risk DNS outage

Nearly one in five US government Web sites is vulnerable to a single-point-of-failure Domain Name System (DNS) network outage,...

Nearly one in five US government Web sites is vulnerable to a single-point-of-failure Domain Name System (DNS) network outage, according to a new survey.

DNS servers translate domain names into numeric Internet Protocol (IP) addresses. When those servers go down, users typing Web addresses cannot connect to the intended servers.

The issue dominated headlines earlier this year after a faulty router configuration and a susceptible DNS setup downed several popular Microsoft Web sites. Many corporate IT administrators failed to heed the warning, however.

Over 250 major company Web sites remain exposed to a single-point failure, according to the study, which was carried out by Icelandic DNS software manufacturer Men & Mice.

Redundancy is key to protecting against outages, claimed Men & Mice. If a company spreads its DNS servers across several network segments, it is better protected against failures. According to the study, of the 1,246 domains in the .gov hierarchy - the top-level domain used by US government agencies - some 232 (18.6%) have their DNS servers on one subnet. Of that group, 13% of .gov domains have only one DNS server.

The study did not individually identify vulnerable domains.

"The federal government needs to leave no stone unturned in its quest for increased security on the Internet," said Men & Mice chairman Jon Adalsteinsson. "This, of course, is a very obvious security vulnerability. We find it surprising to see such a high number, despite the publicity concerning this issue."

Computer security problems have been an ongoing concern for government agencies. More than a dozen agencies failed recent computer security tests organised by the US congressional Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations.

Adalsteinsson said agencies should conduct a security audit of their DNS infrastructure. "It's a reasonably simple thing to do, but what will come out is that this is not the only [DNS] problem these agencies are facing."

Other potential vulnerabilities include a susceptibility to domain "spoofing", or the redirection of a domain to a server other than the one intended, said Adalsteinsson.

Read more on Antivirus, firewall and IDS products