Re: SCO: ISPs are blocking our site Blake Stowell

From: Bill Vermillion (bv_at_wjv.comREMOVE)
Date: 02/02/04 

Date: Mon, 02 Feb 2004 19:45:06 GMT

In article <3OwTb.209574$xy6.1075105@attbi_s02>,
Joe Dunning <joedunning1234_removethis@hotmail.com> wrote:
>On Mon, 02 Feb 2004 14:05:00 GMT, Bill Vermillion <bv@wjv.comREMOVE> wrote:
>>In article <SDmTb.207681$xy6.1063854@attbi_s02>,
>>Joe Dunning <joedunning1234_removethis@hotmail.com> wrote:
>>>On Mon, 02 Feb 2004 06:55:29 GMT, Scott Burns <scott@mirrabooka.com> wrote:
>>>>Daeron wrote:
>>>>
>>>>>Feb 01 2004
>>>>>
>>>>>"There are Internet service providers around the world who are
>>>>>blocking access to SCO," company spokesman Blake Stowell said, adding
>>>>>it was because they believe they can limit exposure to the virus that
>>>>>way.
>>>>
>>>>It seems that the way they protected themselves was to remove the DNS
>>>>entry for www.sco.com - it is unresolvable but sco.com is still there.
>>>> I don't think ISPs had anything to do with it.
>>
>>>The one analysis that I read showed the the virus only attempted to
>>>resolve www.sco.com -- it did not do a DDoS. So, removing www.sco.com
>>>will actually result in more load, not less, because the ISPs'
>>>nameservers won't be able to cache the data for www.sco.com
>>
>>There have been many articles on this on the NANOG list in the last
>>day. But when you say that it will give a higher load because the
>>domain is not there, that should not be. What will happen would be
>>like this:

>>*** ns1.xxxxxx.net can't find www.sco.com: Non-existent host/domain
>>Server: ns1.xxxxxx.net
>>Address: xx.xxx.xxx.11

>>[That's a nameserver I maintain and no reason to publish it to the
>>world - but a rewrite of the file to use the provider on this DSL
>>gives this]

>>*** ns1.sprintlink.net can't find www.sco.com: Non-existent host/domain
>>Server: ns1.sprintlink.net
>>Address: 204.117.214.10

>Yes, but each time you do this, I think your ISP's nameserver contacts
>SCO's nameservers to try to resolve www.sco.com. On the other hand, if,
>www.sco.com resolved to 127.0.0.1 with a TTL of 3600, the ISP's
>nameserver would perform the lookup only once per hour.

No - it will not happen each time you do this. The DNS you are
using, whether your ISP or someone one elses, if it does not have
the name in cache, will look to the next one up the list, and then
if they are not there it will go to the root servers to get the
name of the authoritative server.

I just tested and the first lookup to www.sco.com took 0.14s. Each
additional lookup took 0.00s as they were in the name servers
cache.

A lookup to www.thescogroup.com took 3.95s as it did have to
retreive all the data as it was not in the "Non-existent
host/domain" category.

A kill -2 on the named server generates a memory dump of the memory
cache and the www under $ORIGIN sco.com shows the www with a
leading ; - which is the comment in a dns system.

So since it is in cache the name only has to be looked up once to
find it is non-existant and the load on the DNS server is no more
than you'd get from any non-existant domain.

So SCO's method of removing the www from the authoritative DNS was
the appropriate move to take to elminate congestion anywhere along
the line.

>>So the lookup stops right there. [I used nslookup and not dig just
>>for the more compact output for this post].

>I'm not sure what you mean by "the lookup stops right there".
>Your machine is asking your ISP's nameserver to resolve
>www.sco.com and your ISP's nameserver is returning the
>information that it does not exist, however, in order to
>do this, your ISP's nameserver has to contact one of SCO's
>nameservers each time.

No - as explained above. It does NOT contact the authoritative
server each time. Once it makes a query the results are stored in
cache.

Earlier the SCO DNS had it's TTL set down to 60 seconds from
reports I saw in NANOG, and you normally only turn your TTLs down
that low when you are getting ready to make major changes so that
the information is not stored in far flung caches until the the
time the TTL says it is invalid.

By 'lookup stops righ there' that is what I mean. It goes to the
nameserver, which is aware the site does not exist >IF< that is NOT
the first query to the site. The first query will cache the
information.

The dump shows that info on that has a 1 hour refresh, and a 15
minute retry, and if the name server is unreachable the cache is
valid for 7 days.

This is all part of how DNS works - they all have cache in them so
you don't have to perform lookups all the time.

Even if you run DNS that is not authoritative nor secondary, it
just become a caching server so that you don't have to perform new
lookups each time you query a site. I run a cache only on my local
machines.

The nameserver I did the dump on has about 900 sites in it and it's
one of a pair I maintain at that location. I trust it's data.

Bill 

-- 
Bill Vermillion - bv @ wjv . com

Relevant Pages