News from PANUG

News from PANUG - February 5, 2001
http://www.panug.org
info@panug.org

YOUR DNS IS LIKE MICROSOFT'S
by Ed Sawicki
Accelerated Learning Center
http://alcpress.com

Half of you reading this work for companies that have
DNS design problems just like Microsoft had last week!
Your entire Internet presence can go down with the
failure of a single router, firewall, hub, etc.

This morning, I went through the PANUG and BizNix
email lists and queried your domains to see how many
DNS servers were authoritative and whether they were
all on the same network. I discovered that about half of
them had DNS servers that were connected to the same
network.

If your DNS service is supplied by your ISP, be aware
that ISPs also suffer the same problem. I found the
problem with Europa, Involved, Internet Communications,
and DSL-Only. I did not check all of the ISPs that serve
Portland so there are probably more. The worst was
Internet Communications that had only one authoritative
DNS server even though there were two listed in the whois
database.

Note that there are other DNS problems that I observed
but didn't include in the 50 percent number. Many
domains have lame servers. This is where a DNS server is
supposed to be authoritative for a domain but isn't.
If a domain has two authoritative servers but one is
lame, the domain is running with only one server - a
very bad thing.

If you do business over the Internet, check to see
whether your DNS is distributed and that all DNS servers
are working. If you lack the skills to do this, you may
want to attend my DNS Boot Camp class on February 26.
Check the PANUG web page for details.


MICROSOFT SOLVES DNS PROBLEMS

Microsoft wasted no time in solving their DNS problems
that caused a serious outage last week. Their core
problem was not distributing their DNS servers. These
are the DNS servers that were authoritative for the
microsoft.com domain last week:

dns4.cp.msft.net      207.46.138.11
dns5.cp.msft.net      207.46.138.12
dns6.cp.msft.net      207.46.138.21
dns7.cp.msft.net      207.46.138.20

Note they're connected to the same network. A bad
thing.

Microsoft solved this problem by contracting with
Akamai Technologies for additional DNS service and
moving two of their internal DNS servers to a different
network. These are the authoritative DNS servers now:

DNS1.TK.MSFT.NET      207.46.232.37
DNS2.TK.MSFT.NET      207.46.232.38
DNS4.CP.MSFT.NET      207.46.138.11
DNS5.CP.MSFT.NET      207.46.138.12
Z1.MSFT.AKADNS.COM    216.32.118.104
Z3.MSFT.AKADNS.COM    63.215.198.67
Z4.MSFT.AKADNS.COM    208.148.96.220
Z7.MSFT.AKADNS.COM    213.161.66.158

The Akamai servers are well distributed. Two are located
in Silicon Valley, one in Virginia, and the last is
located on one of above.net's DNS servers. These servers
are running BIND on Unix or Linux. Microsoft's internal
DNS servers are running on a Windows platform.

Some journalists and many open source enthusiasts are
delighted with the irony of Microsoft having to use
open source software (BIND) to solve their security
problems. However, if you've attended my DNS course, you
know that this strategy of mixing platforms is a good
one - especially considering the BIND problems that were
reported last week.

So, Microsoft, whether they know it or not, did a good
job of implementing a solid solution to their DNS
problems. They used outsourcing.


OUTSOURCING DNS

If outsourcing your DNS is attractive to you, check out the
following web site:

http://alcpress.com/consult/dnshelper.htm