AKLUG Archive: Re: ACS DNS?

From: Royce Williams <royce@alaska.net>
Date: Thu Feb 22 2007 - 02:01:38 AKST

Combining a couple of threads:

On Wednesday 21 February 2007 12:36, W.D.McKinney wrote:
> > I wonder if ACS has depreciated the 209.193.4.7 and 209.193.4.8
servers?
> > They are online but not when you lookup NS for acsalaska.net.
> > -Dee

Shane Spencer wrote, on 2/21/2007 2:31 PM:
>> Yes, that is the info I looked at prior to posting. I wondered why they moved it over to customers.
>
> Maybe they have special unsecure DNS servers they were using, and they
> decided to segregate them :) Or they just suck at service load
> balancing. A big old ISP should know never to screw with DNS servers.
> However if you are ever working in a situation where you aren't
> always on the up and up with administrating a clients machines,
> implement your own caching nameserver by using bind9 and a default
> configuration that pulls DNS requests from the root servers. Thems
> are a bit more consistent.

Insert giant 'I am not speaking on behalf of my employer' here. :)

Determining what DNS servers you should use by looking up the NS
records or WHOIS data for a domain is a Bad Idea. It used to work
fine, but that is no longer the case.

This is because it has become necessary for most providers to separate
their recursive and authoritative servers. For further reference on
why this is a Good Idea -- and especially why running an open
recursing server is as bad (and as publicly embarrassing) as having an
open relay -- see

http://www.google.com/search?q=recursive+authoritative+DDoS

AFAIK, ACS will continue to support all of the existing DNS IPs for
our customer use that they always have. If you are not coming from
ACS IP space, however, you will not be able to recurse.

Also, frankly, encouraging people to hit the root servers directly is
a Bad Idea, too. It breaks the hierarchical distribution model.
Telling everyone to hit the roots directly all the time is like
telling everyone to call 911 every time they pick up the phone, and
ask to be transferred. :)

Royce

-- 
Royce D. Williams                                - IP Engineering, ACS
personal: [first]@alaska.net                  - PGP: 3FC087DB/1776A531
work: [first.last]@acsalaska.net         - http://www.tycho.org/royce/
"Don't find fault, find a remedy; anybody can complain."  - Henry Ford
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

Received on Thu Feb 22 02:01:59 2007

This archive was generated by hypermail 2.1.8 : Thu Feb 22 2007 - 02:02:00 AKST