Name server problems? or did Microsoft forget to pay their bill again?

Greg A. Woods woods at weird.com
Wed Jan 24 08:21:47 UTC 2001


When will all the idiots who think they know how to configure DNS, but
obviously don't, learn that they can't get away with having all their
nameservers on the same network no matter how well connected that
network might appear to be under the best of conditions, or how many
different directions the fiber leaves the building/campus?

As you can see for MICROSOFT.COM everything's apparently in one place,
network geography-wise:

   Domain servers in listed order:

   DNS4.CP.MSFT.NET             207.46.138.11
   DNS5.CP.MSFT.NET             207.46.138.12
   DNS6.CP.MSFT.NET             207.46.138.20
   DNS7.CP.MSFT.NET             207.46.138.21

Those addresses might be in a /16 in allocation:

Microsoft (NETBLK-MICROSOFT-GLOBAL-NET) MICROSOFT-GLOBAL-NET
                                                   207.46.0.0 - 207.46.255.255

and whois.ra.net shows a /18 for their routing:

	$ whois -h whois.ra.net 207.46.138.11
	Route:         207.46.128.0/18
	descr:         MS-CP
	origin:        AS8070
	mnt-by:        MICROSOFT-MAINT-CW
	changed:       judithsh at microsoft.com 20001024
	source:        CW

but I'd almost be willing to bet that all those machines are in the same
building, and maybe even in the same room (and if not they're probably
at least all on the same campus).  Even if they have tunnels routing
these addresses to machines in diverse physical locales, they don't seem
to have managed to eliminate any significant number of the serious
failure scenarios.


Seems I can at the moment get to *one* of their nameservers:

	$ host -C microsoft.com
	microsoft.com           NS      DNS4.CP.MSFT.NET
	Nameserver DNS4.CP.MSFT.NET not responding
	microsoft.com SOA record not found at DNS4.CP.MSFT.NET, try again
	microsoft.com           NS      DNS5.CP.MSFT.NET
	Nameserver DNS5.CP.MSFT.NET not responding
	microsoft.com SOA record not found at DNS5.CP.MSFT.NET, try again
	microsoft.com           NS      DNS7.CP.MSFT.NET
	dns.cp.msft.net msnhst.microsoft.com    (2001012306 900 600 7200000 7200)
	 !!! microsoft.com SOA primary dns.cp.msft.net is not advertised via NS
	microsoft.com           NS      DNS6.CP.MSFT.NET
	Nameserver DNS6.CP.MSFT.NET not responding
	microsoft.com SOA record not found at DNS6.CP.MSFT.NET, try again

but it's not one that's registered for MSNBC.COM....

   Domain servers in listed order:

   DNS4.CP.MSFT.NET             207.46.138.11
   DNS5.CP.MSFT.NET             207.46.138.12


	$ host -C msnbc.com     
	msnbc.com               NS      DNS4.CP.MSFT.NET
	Nameserver DNS4.CP.MSFT.NET not responding
	msnbc.com SOA record not found at DNS4.CP.MSFT.NET, try again
	msnbc.com               NS      DNS5.CP.MSFT.NET
	Nameserver DNS5.CP.MSFT.NET not responding
	msnbc.com SOA record not found at DNS5.CP.MSFT.NET, try again

I can however eventually (took one retry and quite a few seconds!) get
an answer for www.mnbc.com it seems:

	$ host -a www.msnbc.com 
	www.msnbc.com           CNAME   msnbc.com
	msnbc.com               NS      DNS4.CP.MSFT.NET
	msnbc.com               NS      DNS5.CP.MSFT.NET
	msnbc.com               A       207.46.238.109
	msnbc.com               A       207.46.238.23
	msnbc.com               A       207.46.238.24
	msnbc.com               A       207.46.238.26
	msnbc.com               A       207.46.150.205
	msnbc.com               A       207.46.150.254

Wow!  Would you look at that!  They may even have their web servers more
diversely placed on the network than they do their nameservers!

If only Microsoft were the only ones that made this kind of inevitably
fatal (at least from a DNS point of view) mistake.....  :-(

One would think that a company with the obvious resources and power they
have would have registered nameservers on every major backbone on the
planet, and then some (right up to the maximum possible!).  I don't want
my nameservers to disappear from any part of the net at any time, and
I'm sure they don't either.  I've only got three for my home domain
(with really only two separate network paths to them), but I'm not a
multi-national corporation either!

Oh, and just as I'm about to send this off I see one more server cough
up replies (guess that's where I got the msnbc.com A RRs from too):

	$ host -C msnbc.com        
	msnbc.com               NS      DNS5.CP.MSFT.NET
	Nameserver DNS5.CP.MSFT.NET not responding
	msnbc.com SOA record not found at DNS5.CP.MSFT.NET, try again
	msnbc.com               NS      DNS4.CP.MSFT.NET
	dns.cp.msft.net msnhst.microsoft.com    (2001012205 1800 900 7200000 3600)
	 !!! msnbc.com SOA primary dns.cp.msft.net is not advertised via NS

	$ host -C microsoft.com
	microsoft.com           NS      DNS5.CP.MSFT.NET
	Nameserver DNS5.CP.MSFT.NET not responding
	microsoft.com SOA record not found at DNS5.CP.MSFT.NET, try again
	microsoft.com           NS      DNS7.CP.MSFT.NET
	Nameserver DNS7.CP.MSFT.NET not responding
	microsoft.com SOA record not found at DNS7.CP.MSFT.NET, try again
	microsoft.com           NS      DNS6.CP.MSFT.NET
	dns.cp.msft.net msnhst.microsoft.com    (2001012306 900 600 7200000 7200)
	 !!! microsoft.com SOA primary dns.cp.msft.net is not advertised via NS
	microsoft.com           NS      DNS4.CP.MSFT.NET
	dns.cp.msft.net msnhst.microsoft.com    (2001012306 900 600 7200000 7200)

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>      <robohack!woods>
Planix, Inc. <woods at planix.com>; Secrets of the Weird <woods at weird.com>




More information about the NANOG mailing list