North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: DNS DOS increasing?
On Mon, Jan 21, 2002 at 05:08:21PM +0000, E.B. Dreger wrote: > > > Date: Mon, 21 Jan 2002 10:07:32 -0500 > > From: James Smith <[email protected]> > > > Get ready for more DOS-like behavior as systems get deployed > > that have 10 second TTLs in the DNS. These systems are used to > > provide multi-isp redundancy by pinging each upstreams router, > > and when a ping fails, start giving out a dns response using > > the other ISP IP range. Same FQDN, new IP. > > Ughh. Constant pinging == RFC violation (I forget number). > Short TTL = bad idea, stretching DNS beyond what it's meant to > do. [Not intended as flamebait, but I know that not everyone > will agree with this statement.] Yup. But there is a business drive. When technology and business conflict... you WILL find out who writes your paycheck. > > This of course is driven by the desire for redundancy in small > > businesses who make the Internet an integral part of their > > business plan. Either they can't get PI space and don't have > > PI space isn't that big of a deal for most small businesses. For > service providers, yes. For other organizations that have at > most half a dozen Internet-facing servers that might be > renumbered every year or two, it is less of an issue. *choke* You've never actually worked for a small business that had some basic need for serious uptime (5 9s minimum) and serious security have you? Sure, they might need only a /26 for their entire network - but that network can easily be handling a few million dollars of value every hour, 24/7/365. Yes, I've had to lay this out. It was for a financial company which had to comply with banking requirements. PI space is not a valid answer for a small business. For a medium-sized business (especially if they can buy out an old company and the swamp /24 that comes with it), yes, but not a small one. (The answer, BTW, was to use 4 separate colocation providers, and clients which could handle SRV records, because we controlled it end-to-end. If we hadn't controlled both clients and servers, we would have been totally hosed - and the SRV TTLs were still only 5 minutes long.) > > (or don't want to spend) the $$$ to do BGP, or are unable to > > ??? > > BGP isn't that expensive. BGP isn't expensive. Buying swamp space so you can DO it reasonably is. > > convince their upstream to cut a hole in their CIDR block and > > Find a clueful or cooperative upstream... > > > allow a 2nd party to announce that chunk (which for some is as > > small as /28). > > This _is_ a problem. s/a problem/nigh-impossible/ Ever looked at the number of blocks now marked Non-Portable? Most providers I talked to in the above endeavor wouldn't allow slice-n-dice out of any of those blocks. [ snip ] BTW, setting minimum TTLs, while a valid *business* response, isn't a valid technical one. After all, if they said TTL 5, they had a reason for it. The fact that your *business* considers this excessive is a counter to their *business* need for having short TTLs. After all, if it were solely reasons based on technical merit... DNS resolvers scale well, as does bandwidth. -- *************************************************************************** Joel Baker System Administrator - lightbearer.com [email protected] http://users.lightbearer.com/lucifer/