Firewall Wizards mailing list archives
Re: Allowing DNS servers to operate behind NetScreen 500
From: David Lang <david.lang () digitalinsight com>
Date: Mon, 17 Feb 2003 20:56:16 -0800 (PST)
also some large websites don't load balance behind a single IP address, instead they use lots of IP addresses. according to the post 9-11 talks from the folks reunning the turner websites they haven''t found a load balancer they trust to use in their high-bandwidth environment (>2Gb of internet bandwidth on 9-11 and I think they mentioned that they are up above 3Gb now) they move servers from one site to another and change DNS to balance their load below is a list of the cnn.com servers right now, if something significant ewere to happen the list would get significantly longer. David Lang web:~# dig cnn.com ; <<>> DiG 9.2.1 <<>> cnn.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24772 ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cnn.com. IN A ;; ANSWER SECTION: cnn.com. 115 IN A 64.236.24.20 cnn.com. 115 IN A 64.236.24.28 cnn.com. 115 IN A 64.236.16.20 cnn.com. 115 IN A 64.236.16.52 cnn.com. 115 IN A 64.236.16.84 cnn.com. 115 IN A 64.236.16.116 cnn.com. 115 IN A 64.236.24.4 cnn.com. 115 IN A 64.236.24.12 ;; Query time: 30 msec ;; SERVER: 64.81.45.2#53(64.81.45.2) ;; WHEN: Mon Feb 17 22:00:27 2003 ;; MSG SIZE rcvd: 153 On Mon, 17 Feb 2003, Chuck Swiger wrote:
Date: Mon, 17 Feb 2003 11:39:57 -0500 From: Chuck Swiger <chuck () codefab com> To: "'firewall-wizards () honor ics..." <firewall-wizards () honor icsalabs com> Subject: Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias wrote: [ ... ]I'd be interested in other, real-world reasons why DNS responses should be allowed to be over 512 bytes in size. Not out of opposition, but out of interest.MX records for popular domains: 58-sec% dig aol.com. @pi.codefab.com. mx ; <<>> DiG 8.3 <<>> aol.com. @pi.codefab.com. mx ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 30 ;; QUERY SECTION: ;; aol.com, type = MX, class = IN ;; ANSWER SECTION: aol.com. 1H IN MX 15 mailin-02.mx.aol.com. aol.com. 1H IN MX 15 mailin-03.mx.aol.com. aol.com. 1H IN MX 15 mailin-04.mx.aol.com. aol.com. 1H IN MX 15 mailin-01.mx.aol.com. ;; AUTHORITY SECTION: aol.com. 1H IN NS dns-01.ns.aol.com. aol.com. 1H IN NS dns-02.ns.aol.com. aol.com. 1H IN NS dns-06.ns.aol.com. aol.com. 1H IN NS dns-07.ns.aol.com. ;; ADDITIONAL SECTION: mailin-02.mx.aol.com. 5M IN A 64.12.136.89 mailin-02.mx.aol.com. 5M IN A 64.12.136.121 mailin-02.mx.aol.com. 5M IN A 64.12.137.89 mailin-02.mx.aol.com. 5M IN A 64.12.137.184 mailin-02.mx.aol.com. 5M IN A 64.12.138.89 mailin-02.mx.aol.com. 5M IN A 64.12.138.120 mailin-03.mx.aol.com. 5M IN A 64.12.136.217 mailin-03.mx.aol.com. 5M IN A 64.12.136.249 mailin-03.mx.aol.com. 5M IN A 64.12.137.121 mailin-03.mx.aol.com. 5M IN A 64.12.137.152 mailin-03.mx.aol.com. 5M IN A 64.12.138.57 mailin-03.mx.aol.com. 5M IN A 64.12.138.120 mailin-04.mx.aol.com. 5M IN A 152.163.224.122 mailin-04.mx.aol.com. 5M IN A 64.12.136.153 mailin-04.mx.aol.com. 5M IN A 64.12.137.121 mailin-04.mx.aol.com. 5M IN A 64.12.137.152 mailin-04.mx.aol.com. 5M IN A 64.12.138.89 mailin-04.mx.aol.com. 5M IN A 205.188.156.154 mailin-04.mx.aol.com. 5M IN A 64.12.138.152 mailin-01.mx.aol.com. 5M IN A 152.163.224.26 mailin-01.mx.aol.com. 5M IN A 64.12.136.57 mailin-01.mx.aol.com. 5M IN A 205.188.156.122 mailin-01.mx.aol.com. 5M IN A 64.12.137.89 mailin-01.mx.aol.com. 5M IN A 64.12.137.184 mailin-01.mx.aol.com. 5M IN A 64.12.138.57 mailin-01.mx.aol.com. 5M IN A 64.12.138.152 dns-01.ns.aol.com. 44m44s IN A 152.163.159.232 dns-02.ns.aol.com. 44m44s IN A 205.188.157.232 dns-06.ns.aol.com. 1d16h44m41s IN A 149.174.211.8 dns-07.ns.aol.com. 1d16h44m41s IN A 64.12.51.132 ;; Total query time: 222 msec ;; FROM: sec.codefab.com to SERVER: pi.codefab.com. 12.38.161.140 ;; WHEN: Sun Feb 16 19:07:29 2003 ;; MSG SIZE sent: 25 rcvd: 699 -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Allowing DNS servers to operate behind NetScreen 500, (continued)
- Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)
- Re: DNS vs. Bernstein tqbf (Feb 15)
- Re: DNS and Firewalls Rob Payne (Feb 20)
- Re: DNS Extensions and Firewalls Thomas H. Ptacek (Feb 21)
- Re: DNS Extensions and Firewalls Frank Knobbe (Feb 22)
- Re: Allowing DNS servers to operate behind NetScreen 500 Volker Tanger (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 Mike Scher (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 Chuck Swiger (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 David Lang (Feb 18)