The problem is with having 'open recursion' as a default option in the most popular DNS server software. This means the server will attempt to find any address it is asked for, not only within its own domain but over the whole of the internet, and it will do it for any source that asks.

The problem has similarities to the inadvertently open mail servers that used to allow spam to be relayed and the spammer's address concealed. This used to be much more of a problem than it is today, when most servers have been closed to relay traffic, but the DNS problem is potentially very serious, the NZNOG and ICANN speakers warned.

If a server has no real business answering requests outside its own domain and related domains, it should be limited to those, plus any much-used outside servers whose address translation it has cached, the speakers noted, and it should not be answering requests from outside its domain.

The ICANN meeting heard that the most popular server software, such as BIND, has now had the open recursive default setting altered, but obviously this will take time to spread through all BIND servers as they are updated. Then there are other vulnerable servers working under Windows, Linux and other operating systems that may remain open for some time.

Meanwhile, in the second attack of its kind in the past few days, DNS servers at Network Solutions Inc. were hit by a denial-of-service attack, resulting in a brief performance degradation for customers, according to the company.