Re: Allowing DNS servers to operate behind NetScreen 500

[David Lang <david.lang () digitalinsight com>]

also some large websites don't load balance behind a single IP address,
instead they use lots of IP addresses.

according to the post 9-11 talks from the folks reunning the turner
websites they haven''t found a load balancer they trust to use in their
high-bandwidth environment (>2Gb of internet bandwidth on 9-11 and I think
they mentioned that they are up above 3Gb now) they move servers from one
site to another and change DNS to balance their load below is a list of
the cnn.com servers right now, if something significant ewere to happen
the list would get significantly longer.

David Lang

web:~# dig cnn.com

; <<>> DiG 9.2.1 <<>> cnn.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24772
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cnn.com.                       IN      A

;; ANSWER SECTION:
cnn.com.                115     IN      A       64.236.24.20
cnn.com.                115     IN      A       64.236.24.28
cnn.com.                115     IN      A       64.236.16.20
cnn.com.                115     IN      A       64.236.16.52
cnn.com.                115     IN      A       64.236.16.84
cnn.com.                115     IN      A       64.236.16.116
cnn.com.                115     IN      A       64.236.24.4
cnn.com.                115     IN      A       64.236.24.12

;; Query time: 30 msec
;; SERVER: 64.81.45.2#53(64.81.45.2)
;; WHEN: Mon Feb 17 22:00:27 2003
;; MSG SIZE  rcvd: 153


On Mon, 17 Feb 2003, Chuck Swiger wrote:

> Date: Mon, 17 Feb 2003 11:39:57 -0500
> From: Chuck Swiger <chuck () codefab com>
> To: "'firewall-wizards () honor ics..." <firewall-wizards () honor icsalabs com>
> Subject: Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500
>
> Reckhard, Tobias wrote:
> [ ... ]
> > I'd be interested in other, real-world reasons why DNS responses
> > should be allowed to be over 512 bytes in size. Not out of
> > opposition, but out of interest.
>
> MX records for popular domains:
>
> 58-sec% dig aol.com. @pi.codefab.com. mx
> ; <<>> DiG 8.3 <<>> aol.com. @pi.codefab.com. mx
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 30
> ;; QUERY SECTION:
> ;;      aol.com, type = MX, class = IN
>
> ;; ANSWER SECTION:
> aol.com.                1H IN MX        15 mailin-02.mx.aol.com.
> aol.com.                1H IN MX        15 mailin-03.mx.aol.com.
> aol.com.                1H IN MX        15 mailin-04.mx.aol.com.
> aol.com.                1H IN MX        15 mailin-01.mx.aol.com.
>
> ;; AUTHORITY SECTION:
> aol.com.                1H IN NS        dns-01.ns.aol.com.
> aol.com.                1H IN NS        dns-02.ns.aol.com.
> aol.com.                1H IN NS        dns-06.ns.aol.com.
> aol.com.                1H IN NS        dns-07.ns.aol.com.
>
> ;; ADDITIONAL SECTION:
> mailin-02.mx.aol.com.   5M IN A         64.12.136.89
> mailin-02.mx.aol.com.   5M IN A         64.12.136.121
> mailin-02.mx.aol.com.   5M IN A         64.12.137.89
> mailin-02.mx.aol.com.   5M IN A         64.12.137.184
> mailin-02.mx.aol.com.   5M IN A         64.12.138.89
> mailin-02.mx.aol.com.   5M IN A         64.12.138.120
> mailin-03.mx.aol.com.   5M IN A         64.12.136.217
> mailin-03.mx.aol.com.   5M IN A         64.12.136.249
> mailin-03.mx.aol.com.   5M IN A         64.12.137.121
> mailin-03.mx.aol.com.   5M IN A         64.12.137.152
> mailin-03.mx.aol.com.   5M IN A         64.12.138.57
> mailin-03.mx.aol.com.   5M IN A         64.12.138.120
> mailin-04.mx.aol.com.   5M IN A         152.163.224.122
> mailin-04.mx.aol.com.   5M IN A         64.12.136.153
> mailin-04.mx.aol.com.   5M IN A         64.12.137.121
> mailin-04.mx.aol.com.   5M IN A         64.12.137.152
> mailin-04.mx.aol.com.   5M IN A         64.12.138.89
> mailin-04.mx.aol.com.   5M IN A         205.188.156.154
> mailin-04.mx.aol.com.   5M IN A         64.12.138.152
> mailin-01.mx.aol.com.   5M IN A         152.163.224.26
> mailin-01.mx.aol.com.   5M IN A         64.12.136.57
> mailin-01.mx.aol.com.   5M IN A         205.188.156.122
> mailin-01.mx.aol.com.   5M IN A         64.12.137.89
> mailin-01.mx.aol.com.   5M IN A         64.12.137.184
> mailin-01.mx.aol.com.   5M IN A         64.12.138.57
> mailin-01.mx.aol.com.   5M IN A         64.12.138.152
> dns-01.ns.aol.com.      44m44s IN A     152.163.159.232
> dns-02.ns.aol.com.      44m44s IN A     205.188.157.232
> dns-06.ns.aol.com.      1d16h44m41s IN A  149.174.211.8
> dns-07.ns.aol.com.      1d16h44m41s IN A  64.12.51.132
>
> ;; Total query time: 222 msec
> ;; FROM: sec.codefab.com to SERVER: pi.codefab.com.  12.38.161.140
> ;; WHEN: Sun Feb 16 19:07:29 2003
> ;; MSG SIZE  sent: 25  rcvd: 699
>
> -Chuck
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards