We are going to make two changes to the DNS zones we manage 💪.
DNS is the address book of the Internet and ensures that when your customer types in your domain name he or she ends up in the right place. We are constantly improving our DNS infrastructure to handle these requests quickly and always and to guard against any DNS attacks that unfortunately are becoming more common.
DNS zones that contain DNS records that have a TTL of 1 or 5 minutes we adjust to 1 hour.
The DNS time to live (TTL) lets you know how long a particular DNS record must be remembered before checking whether the DNS record has changed. A TTL of 1 or 5 minutes causes a DNS records to be unreachable after 1 (or 5) minutes in case of a successful attack on our DNS infrastructure, and has the consequence that the underlying service, for example your website, can no longer be reached.
Although the probability of such a successful attack is not high, we choose to reduce this risk by adjusting the default TTL from 1 (or 5) minutes to 1 hour.
This has the following impact:
1. DNS records that were previously remembered for 1 (or 5) minutes will now be remembered for 1 hour making any successful attack on our DNS infrastructure less likely to have an impact.
2. Want to change a DNS record? Then now it no longer takes 1 (or 5) minutes, but 1 hour before the change is active. Of course, you can lower the TTL yourself (briefly) before making a significant change. Read how to adjust the TTL yourself here.
We do not modify DNS records that have their own TTL set other than 1 or 5 minutes.
We are going to clean up old localhost% DNS records
In the past, a localhost% DNS record was added to DNS zones at the request of the Stichting Internet Domeinregistratie Nederland (SIDN), this was a hard requirement in the past but is now obsolete. The reason for paying attention to this now is that such records make certain Web servers vulnerable to Cross-Site Scripting (XSS) attacks. In cooperation with SIDN, we are going to clean up these old misconfigured localhost records from the zones we manage.
What exactly are we going to clean up? We are going to clean up DNS records named localhost%, type record ‘A’ with content ‘127.0.0.1’.
Want to learn more about this? Then read this blog article from the SIDN.