North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: From Microsoft's site

  • From: Ian A Finlay
  • Date: Thu Jan 25 21:23:41 2001

On Thu, 25 Jan 2001, Rusty H. Hodge wrote:

> 
> >  Which would not have suffered such an impact had it been designed
> >  correctly, with geographical and topological disparity.
> 
> You sure it isn't designed that way? Just because the IPs are on the 
> same /24 doesn't mean anything these days.

Other people share your thoughts Rusty. I just ran across the following 
on securitygeeks.shmoo.com:

Authored by: gdead on January 25 2001 @ 10:53AM 
Just a quick comment on everyone saying that the MS nameservers are on the
same subnet. We have no proof of that, and I would hope to god it's not
true. They ARE from the same netblock from their AS (8070). That is an
unforgivable sin. You should always have at least one nameserver outside
your own AS Just In Case (tm). However, just because the IP's of the
nameservers are adjancent don't mean the machines are. They could be in 2
or 4 different locations around the net (2 of the IP's are adjacent, and
so are the second 2, indicating maybe two sets of two). However, due to
the nature of DNS, you can have multiple nameservers scattered around your
enterprise answer for a single IP. I've deployed this, and I know others
have as well. Basically, your ingress router has a route to a local
nameserver that responds to that IP. If that host dies, then the network
routes take over and push the query to the next closest nameserver gets it
and responds with an answer. So using 4 IP's MS may have 20 nameservers
scattered all over the planet answering for those 4. Doubtful, but
maybe. Ergo, we can't assume these boxes are anywhere near each other. If
someone KNOWS how they're setup, please tell us. 

-Ian

Ian Finlay