Re: DNS DOS increasing?

["Joel Baker" <lucifer () lightbearer com>]

On Mon, Jan 21, 2002 at 05:08:21PM +0000, E.B. Dreger wrote:
> > Date: Mon, 21 Jan 2002 10:07:32 -0500
> > From: James Smith <jsmith () PRESIDIO com>
>
> > Get ready for more DOS-like behavior as systems get deployed
> > that have 10 second TTLs in the DNS. These systems are used to
> > provide multi-isp redundancy by pinging each upstreams router,
> > and when a ping fails, start giving out a dns response using
> > the other ISP IP range. Same FQDN, new IP.
>
> Ughh.  Constant pinging == RFC violation (I forget number).
> Short TTL = bad idea, stretching DNS beyond what it's meant to
> do.  [Not intended as flamebait, but I know that not everyone
> will agree with this statement.]

Yup. But there is a business drive. When technology and business
conflict... you WILL find out who writes your paycheck.

> > This of course is driven by the desire for redundancy in small
> > businesses who make the Internet an integral part of their
> > business plan. Either they can't get PI space and don't have
>
> PI space isn't that big of a deal for most small businesses.  For
> service providers, yes.  For other organizations that have at
> most half a dozen Internet-facing servers that might be
> renumbered every year or two, it is less of an issue.

*choke*

You've never actually worked for a small business that had some basic
need for serious uptime (5 9s minimum) and serious security have you?
Sure, they might need only a /26 for their entire network - but that
network can easily be handling a few million dollars of value every
hour, 24/7/365. Yes, I've had to lay this out. It was for a financial
company which had to comply with banking requirements.

PI space is not a valid answer for a small business. For a medium-sized
business (especially if they can buy out an old company and the swamp /24
that comes with it), yes, but not a small one.

(The answer, BTW, was to use 4 separate colocation providers, and clients
which could handle SRV records, because we controlled it end-to-end. If
we hadn't controlled both clients and servers, we would have been totally
hosed - and the SRV TTLs were still only 5 minutes long.)

> > (or don't want to spend) the $$$ to do BGP, or are unable to
>
> ???
>
> BGP isn't that expensive.

BGP isn't expensive. Buying swamp space so you can DO it reasonably is.

> > convince their upstream to cut a hole in their CIDR block and
>
> Find a clueful or cooperative upstream...
>
> > allow a 2nd party to announce that chunk (which for some is as
> > small as /28).
>
> This _is_ a problem.

s/a problem/nigh-impossible/

Ever looked at the number of blocks now marked Non-Portable? Most providers
I talked to in the above endeavor wouldn't allow slice-n-dice out of any
of those blocks.

[ snip ]

BTW, setting minimum TTLs, while a valid *business* response, isn't a valid
technical one. After all, if they said TTL 5, they had a reason for it. The
fact that your *business* considers this excessive is a counter to their
*business* need for having short TTLs. After all, if it were solely reasons
based on technical merit... DNS resolvers scale well, as does bandwidth.
-- 
***************************************************************************
Joel Baker                           System Administrator - lightbearer.com
lucifer () lightbearer com              http://users.lightbearer.com/lucifer/