http://www.microsoft.com/info/siteaccess.htm "Microsoft Explains Site Access Issues On Tuesday evening and Wednesday, many Microsoft customers had difficulty accessing the company's Web sites. The cause has been determined, and the issue is resolved. At 6:30 p.m. Tuesday (PST), a Microsoft technician made a configuration change to the routers on the edge of Microsoft's Domain Name Server network. The DNS servers are used to connect domain names with numeric IP addresses (e.g. 207.46.230.219) of the various servers and networks that make up Microsoft's Web presence. The mistaken configuration change limited communication between DNS servers on the Internet and Microsoft's DNS servers. This limited communication caused many of Microsoft's sites to be unreachable (although they were actually still operational) to a large number of customers throughout last night and today. This was an operational error, and not the result of any issue with Microsoft or third-party products nor the security of our networks. Microsoft regrets any inconvenience caused to customers due to this issue. At approximately 5 p.m. Wednesday (PST), Microsoft removed the changes to the router configuration and immediately saw a massive improvement in the DNS network. All sites are currently available to customers. Again, Microsoft apologizes for the inconvenience."
...and immediately saw a massive improvement in the DNS network.
Which would not have suffered such an impact had it been designed correctly, with geographical and topological disparity. I guess to Microsoft, "RFC" is a four-letter word -- Alex Kamantauskas alexk@tugger.net
On Thu, 25 Jan 2001, Rusty H. Hodge wrote:
Which would not have suffered such an impact had it been designed correctly, with geographical and topological disparity.
You sure it isn't designed that way? Just because the IPs are on the same /24 doesn't mean anything these days.
Other people share your thoughts Rusty. I just ran across the following on securitygeeks.shmoo.com: Authored by: gdead on January 25 2001 @ 10:53AM Just a quick comment on everyone saying that the MS nameservers are on the same subnet. We have no proof of that, and I would hope to god it's not true. They ARE from the same netblock from their AS (8070). That is an unforgivable sin. You should always have at least one nameserver outside your own AS Just In Case (tm). However, just because the IP's of the nameservers are adjancent don't mean the machines are. They could be in 2 or 4 different locations around the net (2 of the IP's are adjacent, and so are the second 2, indicating maybe two sets of two). However, due to the nature of DNS, you can have multiple nameservers scattered around your enterprise answer for a single IP. I've deployed this, and I know others have as well. Basically, your ingress router has a route to a local nameserver that responds to that IP. If that host dies, then the network routes take over and push the query to the next closest nameserver gets it and responds with an answer. So using 4 IP's MS may have 20 nameservers scattered all over the planet answering for those 4. Doubtful, but maybe. Ergo, we can't assume these boxes are anywhere near each other. If someone KNOWS how they're setup, please tell us. -Ian Ian Finlay
[ On Thursday, January 25, 2001 at 17:53:12 (-0800), Rusty H. Hodge wrote: ]
Subject: Re: From Microsoft's site
Which would not have suffered such an impact had it been designed correctly, with geographical and topological disparity.
You sure it isn't designed that way? Just because the IPs are on the same /24 doesn't mean anything these days.
It seems in the case of M$'s DNS servers they are all in one place (be it a room, a building, or their campus), and all behind one AS number, with apparently only one router "entity" sitting in front of the whole mess (if you believe what they've been saying has any basis in reality) I haven't looked at how the routing advertisements for that /24 appear out in the rest of the world, beyond what's registered at whois.ra.net, but I doubt they've made separate advertisments for each IP# or some subnets that would separate them, and even if they did I doubt such advertisments coul even make it past the route filters of their peers. By "topological disparity" I meant each server should have radically different IP routing *and* physical connectivity. Even if M$ did have good geographic dispersion with each of their four DNS servers in the four corners of the continental USA and connected back to their campus by some form of private circuits, they've still got effectively one IP routing path to whatever they might use to provide that non-IP connectivity back out to those four corners. I.e. there's still a single point of failure from the perspective of random users on random Internet sites. If there wasn't a single point of failure then the recent events would not have occurred. I just noticed this gem too: Microsoft (NETBLK-MICROSOFT-GLOBAL-NET) One Microsoft Way Redmond, WA 98103 US Netname: MICROSOFT-GLOBAL-NET Netblock: 207.46.0.0 - 207.46.255.255 Coordinator: Microsoft (ZM39-ARIN) noc@microsoft.com 425-936-4200 Domain System inverse mapping provided by: DNS4.CP.MSFT.NET 207.46.138.11 DNS4.CP.MSFT.NET 207.46.138.11 So, how is it that ARIN let them get away with two entries for the same damn server?!?!?!?!? -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
participants (5)
-
Alex Kamantauskas
-
Ian A Finlay
-
Jeremy Randall
-
Rusty H. Hodge
-
woods@weird.com