Can you access the New York Times Web site at nytimes.com yet? For many Internet users, including me, the answer to that is still no. The Times was the victim of a DNS hijacking attack after its registrar Melbourne IT was compromised via a phishing attack from the Syrian Electronic Army, a loose-knit group of hackers who support Syrian President Bashar al-Assad.
But that happened over a day ago, so why is it still not working for some people?
Like my colleague Tim explained yesterday, DNS is the system that translates domain names like nytimes.com to IP addresses like 220.127.116.11. DNS is a hierarchical system that makes extensive use of caching. When your computer wants to know the IP address associated with nytimes.com, it queries a DNS server, most likely operated by your ISP. If the DNS server has looked up the IP address for nytimes.com recently, it will already have a cached copy it saved from the previous query. Otherwise, it sends the request up the "food chain" to get the information, saving the answer for future use.
The system is set up this way to avoid overwhelming the servers that hold the official copy of the domain name database. Without caching, these servers would get swamped with traffic. But caching means that changes to DNS take time to work their way through the system.
A variable called "time to live" (TTL) controls how long a DNS server keeps a cached address in its database. For example, the TTL for washingtonpost.com is set at 30 minutes. Someone whose DNS server doesn't have a cached copy will see changes to this entry immediately. But someone who has looked up the domain recently won't see changes until the TTL period has expired, which might take up to 30 minutes.
According to Andree Toonk, an Internet infrastructure engineer at OpenDNS, the attackers set the TTL to 24 hours and then later to 48 hours. So depending on when your local cache updated their entry, you might still be served the bad version for 24 or 48 hours. And the only way to get rid of that is for the operators of local DNS servers to manually clear the cache entry for that domain. "If that's not done," Toonk says, "the bad results will be used for 24 or 48 hours."
So that's why you still might not be able to access the Times as easily as you would like. But even if you aren't able to get to it through the domain name, you can still browse the full site via its IP address at 18.104.22.168 or browse the latest headlines at news.nytco.com.