DNS migration and folks that don't play nice
Bruce Dawson
jbd at codemeta.com
Mon Apr 10 11:51:02 EDT 2006
Cole Tuininga wrote:
> On Mon, 2006-04-10 at 10:58 -0400, Mark Komarinski wrote:
>>Any evidence of this?
>
> Nope - my knowledge is both anecdotal and quite possibly very out of
> date.
>
Yes, but not recent, and not in the form of log files. I used "AOL"
merely to indicate that there are some "large" organizations that have
what appears to be deliberately broken DNS servers.
>>I've got a friend at AOL (who knows of such
>>things) and says they're using BIND and thus are honoring TTL.
That explains it! Older versions of BIND had problems - they were
especially vulnerable to attacks, and "fell down" in pathologically bad
ways. It got to the point where I was restarting BIND every two days
until they (ISC) started coming out with security fixes.
> Interesting - this does seem counter to the experience a few of my (less
> tech savvy) friends who make use of aol. I wonder - perhaps the aol
> software itself caches the lookups? I dunno.
There's lots of crufty software between BIND and the resolver. And the
resolver's cache could easily be scrod.
I would not be surprised at all if it looked like a BIND server was
operating correctly for a few zones, and not others.
Add to this the fact that most BIND servers operate using UDP instead of
TCP, and its easy to understand how BIND servers could become corrupt.
Add to this the amount of malware on the Internet, and its surprising
that things are working at all!
--Bruce
More information about the gnhlug-discuss
mailing list