DNS DOS increasing?
lucifer at lightbearer.com
Mon Jan 21 18:51:17 UTC 2002
On Mon, Jan 21, 2002 at 05:08:21PM +0000, E.B. Dreger wrote:
> > Date: Mon, 21 Jan 2002 10:07:32 -0500
> > From: James Smith <jsmith at PRESIDIO.com>
> > Get ready for more DOS-like behavior as systems get deployed
> > that have 10 second TTLs in the DNS. These systems are used to
> > provide multi-isp redundancy by pinging each upstreams router,
> > and when a ping fails, start giving out a dns response using
> > the other ISP IP range. Same FQDN, new IP.
> Ughh. Constant pinging == RFC violation (I forget number).
> Short TTL = bad idea, stretching DNS beyond what it's meant to
> do. [Not intended as flamebait, but I know that not everyone
> will agree with this statement.]
Yup. But there is a business drive. When technology and business
conflict... you WILL find out who writes your paycheck.
> > This of course is driven by the desire for redundancy in small
> > businesses who make the Internet an integral part of their
> > business plan. Either they can't get PI space and don't have
> PI space isn't that big of a deal for most small businesses. For
> service providers, yes. For other organizations that have at
> most half a dozen Internet-facing servers that might be
> renumbered every year or two, it is less of an issue.
You've never actually worked for a small business that had some basic
need for serious uptime (5 9s minimum) and serious security have you?
Sure, they might need only a /26 for their entire network - but that
network can easily be handling a few million dollars of value every
hour, 24/7/365. Yes, I've had to lay this out. It was for a financial
company which had to comply with banking requirements.
PI space is not a valid answer for a small business. For a medium-sized
business (especially if they can buy out an old company and the swamp /24
that comes with it), yes, but not a small one.
(The answer, BTW, was to use 4 separate colocation providers, and clients
which could handle SRV records, because we controlled it end-to-end. If
we hadn't controlled both clients and servers, we would have been totally
hosed - and the SRV TTLs were still only 5 minutes long.)
> > (or don't want to spend) the $$$ to do BGP, or are unable to
> BGP isn't that expensive.
BGP isn't expensive. Buying swamp space so you can DO it reasonably is.
> > convince their upstream to cut a hole in their CIDR block and
> Find a clueful or cooperative upstream...
> > allow a 2nd party to announce that chunk (which for some is as
> > small as /28).
> This _is_ a problem.
Ever looked at the number of blocks now marked Non-Portable? Most providers
I talked to in the above endeavor wouldn't allow slice-n-dice out of any
of those blocks.
[ snip ]
BTW, setting minimum TTLs, while a valid *business* response, isn't a valid
technical one. After all, if they said TTL 5, they had a reason for it. The
fact that your *business* considers this excessive is a counter to their
*business* need for having short TTLs. After all, if it were solely reasons
based on technical merit... DNS resolvers scale well, as does bandwidth.
Joel Baker System Administrator - lightbearer.com
lucifer at lightbearer.com http://users.lightbearer.com/lucifer/
More information about the NANOG