I can not go into details, but suffice it to say DNS was just a symptom of other events, not the problem itself. DNS TTL on the global load balancing system was at 5 seconds and DNS load never rose above trivial. ----- Original Message ----- From: "Sean Donelan" <sean@donelan.com> To: <nanog@merit.edu> Sent: Wednesday, March 26, 2003 4:09 AM Subject: The weak link? DNS
Watching the Iraqi Ururklink and Al Jazeera over the weekend what struck me is how many different ways network administrators can mess up. Although malicious actors have been trying (and succeeding) to exploit vulnerabilities, the worst problems seem to be self-inflicted.
Administrators had used firewalls and locked down their web sites, sometimes so well they couldn't handle the traffic load.
But the real weak link was their DNS servers.
For example, Al Jazeera had time-to-live set of their domain records set to 15 minutes, making them even more vulnerable to increasing the load on their systems. Of course, Al Jazeera had other problems too.
What even stranger about the Iraqi state provider Uruklink.net is the DNS servers are now self-identifying with earlier (with known bugs) versions of BIND. Last week the Uruklink name server 62.145.94.1 was running 8.2.2-P5, but now is running 8.1.2. Although the web site for www.uruklink.net is up, DNS lookups for www.uruklink.net return various other IP addresses (not in 62.145.94.0/24). Including some addresses running web sites claiming the site is "owned." In reality, the site isn't owned, you are being redirected to a unrelated web site.