So if you’re even tangentially exposed to news about the internet (or listen to NPR’s All Things Considered!), you might have heard about a major, major weakness that was discovered not too long ago in the security behind the way that hostnames are turned into IP addresses, a weakness that could easily lead to all kinds of hacks, exploitations, and general insecurity on the ‘net. Most of the folks responsible for the DNS servers — the bits of software that are affected by this — were quickly briefed about the flaw and given a chance to respond, and nearly all of them just as quickly released patches to their software to make the hacks much harder to accomplish. Apple was certainly part of the former group (having been briefed on May 5th), but was not part of the latter group; by July 8th, all other operating system vendors had patched the vulnerability, while it took Apple until July 31st to roll the patch out the door. And within a few days, folks were noticing that Apple’s patch only handled half of the issue, remedying Mac servers while ignoring Mac client (i.e., desktop) machines.

Interested in which other Apple platforms were both affected by the DNS flaw and unpatched, I did a little playing with my Airport Extreme wifi router today — I figured it was a good platform to test, seeing as the way it fits into the environment that surrounds this particular DNS flaw is more as a server (a device being asked to resolve DNS names) than as a client (a device doing the asking). Additionally, there’s currently a lot of concern that even with all the patches released over the past month, it’s exactly devices like these — home routers that do DNS resolution alongside network address translation — that are going to prove the hardest to secure. Fortunately, after doing a bit of network sniffing, I can report that the Airport Extreme currently does exhibit patched behavior, properly choosing random ports from which to send its DNS queries. (And thus, that ISS post I linked to isn’t exactly correct when it says that no NAT vendor is performing source port randomization — clearly, Apple is doing the right thing when it comes to the Airport Extreme.)

I got an email from one of the people who hosts a website on my server today letting me know that she couldn’t get to her site, and investigating the problem, tracked it down to the fact that the company providing DNS services for her domain, ZoneEdit, is having issues today with a few machines, two of which are her primary and secondary nameservers. I can’t get too irritated with this — there are a ton of reasons nameservers can be causing problems, many of which (like denial of service attacks) are no fault of the company which runs them — but I can get irritated by ZoneEdit’s response, reprinted here:

If reliable DNS service is critical for your site, we recommend logging into your account, clicking on “Nameservers” and purchasing a “tertiary” nameserver. 3 nameservers are exponentially more reliable than 2 nameservers.

Are you shitting me? Let’s start with “if reliable DNS service is critical for your site” — are there any websites for which reliable DNS service is not critical? (Put another way: how many times a day do you access a website using an IP address rather than a hostname?) Then, I find the attempt to use the problem to upsell customers to a different tier of service to be pretty sleazy — what would be even more reliable is if ZoneEdit could just provide an automatic switch to alternate nameservers when machines of their were having problems.

All in all, I’m not too surprised that “ZoneEdit is a Dotster, Inc. owned company”; my experiences with Dotster have been pretty awful, the same awfulness that’s reflected here.

As part of our move down to DC, Shannon and I both have to change our addresses and phone numbers with what feels like a metric ton of companies and services. I’ve spent the last half hour or so making my way through the four or five domain name registrars with whom I have accounts, and wow how painful each of them makes the process of changing your contact information. First, you have to change your personal information, which seems to be the mailing address and phone number they keep on record for use when your domain names are about to expire (or to pass on to marketing agencies and spammers). Then, you have to find your billing information and change that, so that when the company automatically charges your credit card, they are able to match the information up with the billing address on the card. Finally, you have to go through each and every domain name, updating the addresses and phone numbers on record for the various contacts listed on the domain registrations. And for each registrar, just finding the links to let you get to each of these bits of information is difficult, so it ends up taking five to ten minutes just to get through a single company’s process. Would that any of these companies invested a cent or two in the services of one of the hundreds of website usability consultants out there…

I’ve been enjoying the occasional posts over at Dreamhost’s “official” weblog, posts that are usually chock full of interesting tidbits that relate to running a mid- to large-sized internet service hosting company. Today’s post comes from Josh Jones (who happens to be Dreamhost’s CEO), and talks about the hoops the company has to jump through in order to be able to request additional internet addresses; the part that’s interesting to me is that the rules which govern the handing out of blocks of IP addresses make it downright necessary for smaller companies to play games so that they don’t get caught without any additional addresses to give their customers. It’s the sort of situation that the next generation of IP addressing (IPv6) was designed to solve, by giving organizations blocks of addresses so big that they’d be able to provide unique ones to over 18 quintillion devices — but most people don’t see IPv6 achieving universal support for the next half-decade or so. So let the addressing games continue!

For those who didn’t know, the folks at EasyDNS have been the targets of intermittent denial-of-service attacks for the past few weeks, and this morning brought a renewed round against their servers. Just an FYI, which could help explain why you might be getting occasional “host could not be found” errors in your travels around the web today.

To be filed in the bin of continuing abuses of the net by companies that should know better: today, I got an email from the domain registrar Dotster (who I have patiently asked about a dozen times to stop sending me their ads) claiming that now’s the perfect time to register my .DE domain name for use with my Delaware business. What’s the problem with this? The .DE domain is the national top-level domain for Germany! To me, it seems a bit, you know, presumptuous to advertise another nation’s top-level domain as perfect for registrants in a measly U.S. state. (And according to the official German registrar, it’s also a mandatory condition of .DE domain registration that the administrative contact maintain a German postal address that can receive any and all legal and court documents that might be filed against the owner of the domain; I wonder how Dotster is dealing with this little stipulation.)

The city of Wilmington, Delaware has already started squatting in the domain space, but using a domain name that I’m certain causes them more trouble than it’s worth (“no, no, no, that’s the word ‘wilmington’, then a dot, then the letters D-O-T, then another dot, and then the letters D-E!”). With the jackassery of Dotster, though, I’m sure that’ll change.

Interesting — while updating a setting on one of Shannon’s domains today, we noticed that Dotster added the .info version of the domain to her account for free last week, without asking or notifying her in any way (other than it just showing up in her account list). Shannon and I both got a number of notices from Dotster over the past few months that they were giving away 25 free .info domains to all of their customers, and we ignored the notices. The logical conclusion from this is that we just weren’t interested, right?

If my assumption is correct that she’s not the only one for whom they did this, then that begs the question: isn’t this a profound waste of domain names, and particularly, of domain names that were likely not registered by the owners of their .com correlaries as conscious decisions?

In news both interesting and frightening, the domain name for Panix, the oldest commercial internet service provider in New York, was hijacked out from under them on Friday night. Both the notice about the hijacking and various progress reports about how it’s been handled by the involved companies have been posted on Panix’s temporary home on the net and over at the North American Network Operators Group (NANOG) mailing list (search for “panix.com” and you’ll find the posts), but the short version is that the registrars have handled it horribly, leaving Panix without use of its primary domain name for going on 48 hours now. And what people need to remember is that, during the time Panix hasn’t been in control of the domain, whoever was responsible for the hijacking can easily have had computers running which have been able to capture every single username, password, piece of email, file, and whatever else clients have sent to what they thought were valid panix.com machines. Pretty frightening.

The thing that’s most surprising to me is that this hasn’t gotten a whole hell of a lot in the way of press; as of right now, searching Google News for “panix” brings up only three relevant news articles. Honestly, this seems to me to be the perfect example of how the internet has expanded faster than the ability of the relevant organizations to protect the immense time, energy, and money people invest in it, but the story’s not getting much coverage right now. I imagine that if microsoft.com were the domain hijacked, we’d be hearing more about it, but it’s not like Panix is a small fish, it’s just not a blue whale — and that’s enough to shove the story off the radar over a holiday weekend. Alas.

There’s a concerning thread over at WebHosting Talk about a user being charged ten bucks by GoDaddy for ostensibly having incorrect contact information in his domain name registration information, despite the user’s claims that all the information was correct. Someone from GoDaddy actually posted details, as well as information about the policy regarding the charges (that they only charge if incorrect information is actually found); nobody has been able to find the actual user agreement that states this, though, and the original user continues to insist that his information was correct and that GoDaddy has begun ignoring any of his attempts to contact them in an official way.

Given that there’s a new policy coming into effect tomorrow that makes it a lot easier to lose your domain names (via domain transfer requests by nefarious others) if your contact information isn’t perfectly correct, now might be a good time to hop onto your registrars’ websites and verify that everything is as it should be. Most registrars will also allow you to “lock” your registrations so that domain transfers cannot take place without you manually going to their site and reversing the lock — GoDaddy allows this, as does Register.com and even the hoary Network Solutions. When this lock is in place, no transfer request can go through at all (in theory), protecting you from illegitimate transfer requests even when you’re away from your email for more than five days.

I’m with the other Jason in saying that the new policy is supremely idiotic, if only for the incredibly short notification period that is destined to lead to some pretty major domain name losses over the coming months. (After all, it’s reasonably hard to guarantee that you see and trust every single email that’s sent to the address in your registration records, given that this email address sits out there in public and manages to attract metric tons of spam, viruses, and phishing attempts!) And in reading the actual text of the policy, it seems that there’s a window created for registrars who want to side with consumers rather than ICANN and refuse to automatically grant transfers after five days — but that’s my non-legal read of it, which I’m not so sure I’d trust. Nonetheless, it’ll be interesting to see if any registrars become consumer-friendly in this regard.

(If you’re interested, links to the actual ICANN policy, with quotes of the relevant sections, are available in the extended version of this post.)