At 12:21 PM 12/28/2001 -0500, Ian A Finlay wrote:
Can anyone shed light here?
1) Both of the listed Nameservers for windowsupdate.microsoft.com timed out when I sent them non recursive DNS requests. 2) I killed my DNS cache, and asked again for the NS records for windowsupdate.microsoft.com. A new third one was listed, and one of the original servers began to respond. 3) Another reload shows only 2 servers listed again, and they both respond. Looks to me as if Microsoft is altering global delegation of their windowsupdate service. Maybe diversifying the dns structure as they did with microsoft.com after the attacks a while back? They now have 12 DNS servers scattered around the globe, just to serve microsoft.com dns.
iaf@duwo/iaf 148=>nslookup Default Server: duwo.pair.com Address: 209.68.2.64
windowsupdate.microsoft.com Server: duwo.pair.com Address: 209.68.2.64
*** duwo.pair.com can't find windowsupdate.microsoft.com: Non-existent host/domain -Ian
Looks to me as if Microsoft is altering global delegation of their windowsupdate service. Maybe diversifying the dns structure as they did with microsoft.com after the attacks a while back?
attacks? you mean when they shot themselves in the 2182 foot? there are some good ways to roll new dns delegations, where integrity is maintained throughout the process. there are many bad stoopid ways. dig and doc tell me that this is a case of the latter. randy
At 10:01 AM 12/28/2001 -0800, you wrote:
Looks to me as if Microsoft is altering global delegation of their windowsupdate service. Maybe diversifying the dns structure as they did with microsoft.com after the attacks a while back?
attacks? you mean when they shot themselves in the 2182 foot?
I'm not aware of the exact reasons for their problems. I heard of a few DoS attacks which crippled them due to poor network diversification / design / foo.
there are some good ways to roll new dns delegations, where integrity is maintained throughout the process. there are many bad stoopid ways. dig and doc tell me that this is a case of the latter.
This is unquestionably the case. Good = nobody notices enough to start `dig`ging around in the first place.
randy
--c
attacks? you mean when they shot themselves in the 2182 foot? I'm not aware of the exact reasons for their problems.
someone misconfigured a router so dns could not serve from behind it. this is life, stuff happens. but they had ALL the servers for their domain behind that ONE router, despite massive net lore and a bcp not to do so. so the entire domain and a number of other pieces were unreachable for a long time. yucchhy. the reason i belabor this here is not to abuse this particular foot shooter, but rather to emphasize yet again, diversify your dns servers *widely*, physically and topologically. see rfc 2182. randy
On Fri, 28 Dec 2001, Christopher Schulte wrote:
Looks to me as if Microsoft is altering global delegation of their windowsupdate service. Maybe diversifying the dns structure as they did with microsoft.com after the attacks a while back? They now have 12 DNS servers scattered around the globe, just to serve microsoft.com dns.
Yeah, maybe they're moving they're update service from windowsupdate.microsoft.com to windowsupdate.com. Maybe they'll "Akamize" windowsupdate.com too... bash-2.04$ host www.microsoft.com www.microsoft.com is a nickname for www.microsoft.akadns.net www.microsoft.akadns.net has address 207.46.230.218 www.microsoft.akadns.net has address 207.46.230.219 www.microsoft.akadns.net has address 207.46.230.220 www.microsoft.akadns.net has address 207.46.197.100 www.microsoft.akadns.net has address 207.46.197.101 www.microsoft.akadns.net has address 207.46.197.113 www.microsoft.akadns.net has address 207.46.197.102 bash-2.04$ host windowsupdate.microsoft.com windowsupdate.microsoft.com has address 207.46.106.88 bash-2.04$ host windowsupdate.com windowsupdate.com has address 207.46.106.88 windowsupdate.com has address 207.46.226.17 windowsupdate.com has address 207.68.131.27 -Ian
What you're seeing is MS using Akamai's Edgesuite service. Basically, www.microsoft.com CNAMES to www.microsoft.akadns.net, which resolves to the "closest" Akamai server to the source IP on the DNS query. That box caches the content from the *real* www.microsoft.com, and serves it up. Nice concept, and a helluva lot easier to implement on the end user side than FreeFlow, IMHO... -Chris On Fri, Dec 28, 2001 at 01:40:48PM -0500, Ian A Finlay wrote:
On Fri, 28 Dec 2001, Christopher Schulte wrote:
Looks to me as if Microsoft is altering global delegation of their windowsupdate service. Maybe diversifying the dns structure as they did with microsoft.com after the attacks a while back? They now have 12 DNS servers scattered around the globe, just to serve microsoft.com dns.
Yeah, maybe they're moving they're update service from windowsupdate.microsoft.com to windowsupdate.com. Maybe they'll "Akamize" windowsupdate.com too...
bash-2.04$ host www.microsoft.com www.microsoft.com is a nickname for www.microsoft.akadns.net www.microsoft.akadns.net has address 207.46.230.218 www.microsoft.akadns.net has address 207.46.230.219 www.microsoft.akadns.net has address 207.46.230.220 www.microsoft.akadns.net has address 207.46.197.100 www.microsoft.akadns.net has address 207.46.197.101 www.microsoft.akadns.net has address 207.46.197.113 www.microsoft.akadns.net has address 207.46.197.102
bash-2.04$ host windowsupdate.microsoft.com windowsupdate.microsoft.com has address 207.46.106.88
bash-2.04$ host windowsupdate.com windowsupdate.com has address 207.46.106.88 windowsupdate.com has address 207.46.226.17 windowsupdate.com has address 207.68.131.27
-Ian
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
On Sat, 29 Dec 2001, Christopher A. Woodfield wrote:
What you're seeing is MS using Akamai's Edgesuite service. Basically, www.microsoft.com CNAMES to www.microsoft.akadns.net, which resolves to the "closest" Akamai server to the source IP on the DNS query. That box caches the content from the *real* www.microsoft.com, and serves it up. Nice concept, and a helluva lot easier to implement on the end user side than FreeFlow, IMHO...
No, I'm pretty sure that this is a third distinct service, not EdteSuite or FreeFlow - I know it as nothing but AkaDNS, it probably has a "real" name - if you traceroute to those servers, you'll see that they're actual Microsoft servers. Look at that, versus, say, www.segway.com, which is on EdgeSuite: www.segway.com. 3600 IN CNAME www.segway.com.edgesuite.net. www.segway.com.edgesuite.net. 21600 IN CNAME a1758.gc.akamai.net. a1758.gc.akamai.net. 20 IN A 209.185.188.10 a1758.gc.akamai.net. 20 IN A 209.185.188.107 Notice it's on edgesuite.net, not akadns.net. Tim Wilde -- Tim Wilde twilde@dyndns.org Systems Administrator Dynamic DNS Network Services http://www.dyndns.org/
participants (5)
-
Christopher A. Woodfield
-
Christopher Schulte
-
Ian A Finlay
-
Randy Bush
-
Tim Wilde