A year after surviving a massive distributed denial-of-service attack, the Internet's root servers are better fortified against hacker activity, thanks to behind-the-scenes deployment of a routing technique known as Anycast, experts say.

With Anycast, the root server operators have more than doubled the number of server farms available to handle the highest-level DNS queries. This routing technique heightens root server resilience by multiplying the number of servers with the same IP address and balancing the load across an army of geographically dispersed servers.

A handful of the 13 root server operators have begun deploying Anycast since last year's attack, which didn't succeed in crashing DNS but rendered several root servers unavailable for legitimate queries. Experts say the deployment of Anycast is making the entire root-server system more resistant to outage.

"More of the root server operators are doing this routing technique, and the DNS is more robust than ever," says Paul Mockapetris, inventor of the DNS and chairman of DNS software vendor Nominum. "The DNS is more resilient than it was a year ago by a factor of two."

A reinforced DNS is a boon to enterprise network managers who need a rock-solid root server and DNS system for all of their IP services to function. However, one network executive resists putting much faith in a new DNS technique until it's been tested under attack.

DNS is "still not as secure as it could be, or should be," says Stephen Lengel, systems engineering manager at The ServiceMaster Co. in Downers Grove, Ill., which provides heating, cooling, landscaping, pest control and appliance maintenance services, and has about 20,000 users on its network. Despite the use of techniques such as Anycast, no technology is 100% safe from attack, he adds. "It's usually just a matter of time before someone exploits it or finds a hole in it."

While distributed DoS attacks have occurred for years, last October's assault on the Internet's 13 root servers - which run the master directory for lookups that match domain names with their corresponding IP addresses - served as a wake-up call to the vulnerabilities inherent in the distributed design of DNS. Below the root servers are the servers that support top-level domains such as .com, .net and .org, and below the top-level domain servers are hosts of Web sites.