lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: gem at rellim.com (Gary E. Miller)
Subject: FW: Question for DNS pros

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo John!

On Thu, 5 Aug 2004, John Hall wrote:

> Is this true for the servers that are doing the recursive lookups for
> the clients on your networks?

Yes, for the clients.  Much less so for the servers, but failover may
also cause the servers to recurse from a distant DNS server.

> Seems somewhat risky,

Less risky than depending on the name servers of those we purchase dial-up
and co-lo services from.  If we had to depend on the tech support
from those guys our DNS would be broken all the time.  With the DNS
under our total control we can monitor it for potential problems and
take immediate action if needed.

When a customer of ours want a DNS change he wants it now.  If he is
using our name servers we can flush the NS cache, verify with the
customer that he is happy and close the ticket.  Much better then
trying to explain to him that he must wait 48 hours for the changes
to propogate.

Another advantage is we can provide DNS services to knock out doubleclick
and others. :-)

We also get a lot of geographical diversity out of the setup.  CA could
slip in to the sea and some of our DNS would still be up.

I am also seeing a lot of DNS servers only answering for their OWN
local nets.  So the roving laptop almost has to use our DNS servers since
he is never sure which local NS to use.

> but it's true that such setups would make RTT less useful.  It's one of
> the problems with
> making GLSB work well.

Damn right it is.  Makes the RTT perverse.

> Our experience with several large sites
> indicates that the majority of client connections are sent to the "best"
> (as defined by the 3-DNS configuration) data-center, so we conclude that
> most sites (or at least the ones servicing our customers' clients) do
> have their local forwarding DNS servers "close" to the clients they serve.

Maybe yes, maybe no, but I know a lot of large sites where RTT to the DNS
server will give bad answers.

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
	gem@...lim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBEpqJ8KZibdeR3qURAtm0AJ98c1lGVt65Gngu5IX9xiIdCVvRpwCg1/Nf
4esXBtIfaDMgKjfsln+dzIs=
=Zyhr
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ