Domain: ultradns.com
Stories and comments across the archive that link to ultradns.com.
Comments · 12
-
UltraDNS
Great infrastructure, robust, API, good people. I've been using them for around nine years now - http://ultradns.com/ - highly recommended.
-
Re:Free market solution regulation
First, posting as an AC lessens the likelihood of a reply.
The ad hominem doubles it.
Now, to prove who the "moron" is...
http://www.ultradns.com/news/articles/051011.cfm
DNS is fully at fault for the reliance we place on peering arrangements. By nuking single endpoint routing via DNS, we could introduce the need for multiple routing paths.
If you live on an island with on bridge and the bridge (peering) goes boom, you're screwed. DNS allows people to "go cheap" by building only one bridge.
Dump DNS after implementing IPv6. Let Google, AOL, and others provide the solutions to mapping a name to an IP.
Oh, only big corporations can afford SEO? Bullshit. Why can small companies receive phone calls and mail? Because of third party services. DNS is monopoly, dump it. -
This is what they are using it for
PostgreSQL comes into play here at the registry. In this case Afilias. They are the authoritative source for all registrations in the
.org domain (or will be soon, I'm not sure the exact date). You may recognize them as the registry for .info as well. All of the DNS infrastructure will be run by UltraDNS and they run Oracle. You may recognize them as the DNS infrastructure provider for .info. I'm assuming that .org will work the same as .info (since it's the same registry and same DNS server infrastructure) and if so, all changes are incremental and near realtime. -
This is what they are using it for
PostgreSQL comes into play here at the registry. In this case Afilias. They are the authoritative source for all registrations in the
.org domain (or will be soon, I'm not sure the exact date). You may recognize them as the registry for .info as well. All of the DNS infrastructure will be run by UltraDNS and they run Oracle. You may recognize them as the DNS infrastructure provider for .info. I'm assuming that .org will work the same as .info (since it's the same registry and same DNS server infrastructure) and if so, all changes are incremental and near realtime. -
Very surprising
I have seen the UltraDNS ads here at Slashdot and thusly decided to read up on their techniques as well.
Basically, they urge large important Web sites to outsource its DNS needs to another company (them). Before this DOS attack on their servers, they provided near perfect stability, security, and performance. If I recall correctly, Hotmail, Forbes, and Oracle have already used the services of UltraDNS.
It's a shame that such a wonderful resource (the Internet) is so often abused by a few rowdy hackers and trolls.
Here is a whitepaper that describes their services in depth and explains the reasons for outsourcing one's DNS needs. -
Very surprising
I have seen the UltraDNS ads here at Slashdot and thusly decided to read up on their techniques as well.
Basically, they urge large important Web sites to outsource its DNS needs to another company (them). Before this DOS attack on their servers, they provided near perfect stability, security, and performance. If I recall correctly, Hotmail, Forbes, and Oracle have already used the services of UltraDNS.
It's a shame that such a wonderful resource (the Internet) is so often abused by a few rowdy hackers and trolls.
Here is a whitepaper that describes their services in depth and explains the reasons for outsourcing one's DNS needs. -
Very surprising
I have seen the UltraDNS ads here at Slashdot and thusly decided to read up on their techniques as well.
Basically, they urge large important Web sites to outsource its DNS needs to another company (them). Before this DOS attack on their servers, they provided near perfect stability, security, and performance. If I recall correctly, Hotmail, Forbes, and Oracle have already used the services of UltraDNS.
It's a shame that such a wonderful resource (the Internet) is so often abused by a few rowdy hackers and trolls.
Here is a whitepaper that describes their services in depth and explains the reasons for outsourcing one's DNS needs. -
Very surprising
I have seen the UltraDNS ads here at Slashdot and thusly decided to read up on their techniques as well.
Basically, they urge large important Web sites to outsource its DNS needs to another company (them). Before this DOS attack on their servers, they provided near perfect stability, security, and performance. If I recall correctly, Hotmail, Forbes, and Oracle have already used the services of UltraDNS.
It's a shame that such a wonderful resource (the Internet) is so often abused by a few rowdy hackers and trolls.
Here is a whitepaper that describes their services in depth and explains the reasons for outsourcing one's DNS needs. -
Re:What if you can't use (fill_in_the_blank)?
Another option might be to assign your risk of security vulnerabilities to someone else by outsourcing. UltraDNS will run your authoritative services, and you can maybe get recursive service from your datacenter provider; if not then at least you can firewall off the internal servers from the outside world and reduce the risk of attack.
-
Re:Redundancy
There are services that will enable you to change DNS records with world-wide propagation in under 5 minutes.
Take a look at UltraDNS for an example.
-
Re:My Experience With LinuxI work as a consultant for several fortune 500 companies,
No, you don't.
and I think I can shed a little light on the climate of the open source community at the moment.
No, you can't.
I believe that part of the reason that open source based startups are failing left and right is not an issue of marketing as it's commonly believed but more of an issue of the underlying technology.
Broad statement. Incorrect. IBM and HP back/develop Linux, Dell sells Linux servers, etc, etc. The Gartner Group just recommended against using IIS. Cobalt and RedHat hardly failed as "Linux startups." Most linux code is portable in one way or another if its correctly written. Open Source has proven and will continue to prove that software should cost nothing. (Given that Mickeysoft doesn't accept liability, its essentially worthless.
I know that that's a strong statement to make,
No, its idiotic.
but I have evidence to back it up!
No, you don't.
At one of the major corps(5000+ employees) that I consult for, we wanted to integrate Linux into our server pool. The allure of not having to pay any restrictive licensing fees was too great to ignore. I recommended [SIC]the installation of several boxes running the new 2.4.9 kernel, and my hopes were high that it would perform up to snuff with the Windows 2k boxes which were(and still are!) doing an AMAZING job at their respective tasks of serving HTTP requests, DNS, and file serving.
So you went your own way and installed your own kernel, not using the default kernel or default kernel sources from a particular distribution. You failed to mention the distribution. High performance DNS is best outsourced for large companies try www.ultradns.com. You did no qualifying as 2.4.9 is fresh out of the ftp. The Gartner group recommended against the use of IIS, which owns a mere 25% of that market. 60% is apache. http://www.netcraft.com/survey/. Fileserving is trivial, and Linux offers a myriad of FS choices, XFS (SGI), JFS(IBM), Reiser, ext2, ext3, for various needs. From true logging/journaling to simple filesystems. Most of the time, Samba drastically outperforms NT/2000 boxes with the SMB protocol.
I consider myself to be very technically inclined having programmed in VB for the last 8 years doing kernel level programming.
You aren't. Delusion.
I don't believe in C programming because contrary to popular belief, VB can go just as low level as C and the newest VB compiler generates code that's every bit as fast.
Troll. C doesn't believe in making it easy for morons, sorry you were left out of the loop.
I took it upon myself to configure the system from scratch and even used an optimised [SIC] version of gcc 3.1 to increase the execution speed of the binaries. I integrated the 3 machines I had configured into the server pool, and I'd have to say the results were less than impressive...
GCC 3.1 isn't out yet. 3.01 is. The kernel documentation tell you to use EGCS 1.1.2 / GCC 2.91.66, but you can't read. I've had not problems with Linux 2.4.3 - 1.4.10 with gcc 3.00 or 3.01, nor with Mozilla 0.93/0.94, nor with any other things I have compiled with GCC on Linux. The processes will run without leaking for at least on the order of months. I had shells on Linux kernels that will run on the order of years. You are apparently I'll equipped to manage an enterprise Unix solution.
We all know that linux isn't even close to being ready for the desktop, but I had heard that it was supposed to perform decently as a "server" based operating system. The 3 machines all went into swap immediately, and it was obvious that they weren't going to be able to handle the load in this "enterprise" environment. After running for less than 24 hours, 2 of them had experienced kernel panics caused by Bind and Apache crashing! Granted, Apache is a volunteer based project written by weekend hackers in their spare time while Microsft's [SIC] IIS has an actual professional full fledged development team devoted to it. Not to mention the fact that the Linux kernel itself lacks any support for any type of journaled filesystem, memory protection, SMP support, etc, but I thought that since Linux is based on such "old" technology that it would run with some level of stability. After several days of this type of behaviour [SIC] , we decided to reinstall windows 2k on the boxes to make sure it wasn't a hardware problem that was causing things to go wrong. The machines instantly shaped up and were seamlessly reintegrated into the server pool with just one Win2K machine doing more work than all 3 of the Linux boxes.
Ximian, KDE 2.X are pretty hard to beat. Too much functionality for the basal minded. I've seen a 32MB piece of crap Cobalt box with Linux 2.2.16X survive quite a large beating. You used the wrong compiler to build the 2.4.9 kernel anyway. You probably didn't link
/usr/include to the linux source tree. There is ReiserFS in the kernel, there are several distributions including journalled filesystems in them, XFS is offered with RedHat 7.1 via SGI. JFS is able to be put in. Reiser is already there. SMP support has been there since 2.2. You are wrong. The memory is far more protected than it is in Windows anything. I have never seen apache crash, nor BIND for that matter. Funny, your amateur ass stages servers for Fortune 500 companies on production boxes and then has to re-install Windows? Never was there a day where a Unix server could not do more with less hardware than Windows. Ever. Even Apple chimed into that idea.Needless to say, I won't be recommending [SIC] Linux/FSF to anymore of my clients. I'm dissappointed [SIC]that they won't be able to leverege [SIC]the free cost of Linux to their advantage, but in this case I suppose the old adage stands true that, "you get what you pay for." I would have also liked to have access to the source code of the applications that we're running on our mission critical systems; however, from the looks of it, the Microsoft "shared source" program seems to offer all of the same freedoms as the GPL.
Needless to say you cant spell. You don recommend anything to anyone, your delusions of grandeur are most amusing. If you want to pay for support, you can. RH support is quite good, actually. Given that you recompiled the kernel on a system with the wrong compiler and then whine about it, you complain about Linux? Shared source is not completely open, retard, its chunks of code. And for the complete source you have to shell out big cash. Most appliances run non-Microsoft Code.
As things stand now, I can understand using Linux in academia to compile simple "Hello World" style programs and learn C programming, but I'm afraid that for anything more than a hobby OS, Windows 98/NT/2K are your only choices.
Linux is in academia because it is meritorious. Lotus Notes, Oracle, SAP are all ported to Linux, hardly "Hello World". It's a hobby to you, you clearly have to spend more time with it because you sir, are a complete and utter moron. Nick try on a troll.
-
DNS DoS - the need for scalabilityA poster asks:
Just from a theretical point of view, how difficult do you think it would be to take those servers down from terrorist activity. I mean could the internet be taken down if 12 explosions at the right time/place where detonated?Stripes starts his reply:
Assuming you can figure out where they all are form the IP addresses in the root.cache file, and traceroute, or other similar tools, and maybe a bit of social engenering, it shouldn't be any harder then any other 12 randomly selected machines.Define "explosions"
Stripes, The poster to which you responded did not specify what type of explosions were available to them. If they're nuclear explosions, they'd probably need only 8-10 strategically placed explosions to wipe out all of the current neameservers (with or without social engineering). If they're lucky, they might take out the "shadow root servers" as well. Given the location of some of the root servers, they'd probably cripple alot more than just DNS. They'd effectively take out a good deal of infrastructure as well as the Internet engineers necessary to repair it, not to mention start a worldwide panic.
The Internet would still recover though, much as you described in your post. Anyone can setup a redundant server cluster within a matter of minutes given a set of pre-staged root and first level zone data.
The more interesting problems are due to corrupted data rather than doing denial of service attacks on nameservers. Some bad data in Network Solution's database can make various interesting parts of the Internet suck really bad. When one root server has data corruption, the whole net feels it. Imagine if some NSOL staffer garbled the nameserver data for "Yahoo.COM." or "IN-ADDR.ARPA." to point to 255.255.255.255 instead of the real servers?
For anyone else interested in DNS DoS...
An easier method
One of the easiest way to kill DNS is to try a coordinated DoS attack against all of the nameservers. Each of the world hundreds of thousands of resolvers is configured to use any of 13 root nameservers. Just like a 15-year-old kid did with HTTP requests, one could probably start a distributed DoS attack against DNS. The "heftiest" root nameserver is rumored somewhere in this discussion to be able to handle 6000-8000 hits a second. With 13 published nameservers, one needs only about 100000 hits per second to saturate the current capacity of all of the servers. Let's say that I was a bright hacker (which I'm not) that I could find my way into 1000 machines around the world that each had a T1 connection or better. Can we agree that this is a difficult but not unreasonably impossible thing to do? If one were not smart enough to do it themselves, one could perhaps go to a hacker convention or local user group and bribe a script kiddie seeking infamy and fortune to go forth an find 1000 machines to hack. Another way is to unleash a time-dated virus onto the net that will do your bidding at a specific time. Each machine would gather a list of 100 addresses, perhaps starting with the history file of a user's browser to get a list of second-level domains. It could also look for addresses using a popular portal directory or search engine and interpret results to get domain names. With 100 domain names, it would query 100 names per second (less than one megabit) from each of the few registered root nmeservers. While the traffic isn't overwhelming, it will overload the root servers fo rthe number of transactions per second, and nothing short of hunting and killing half of the query servers would reduce the effectiveness of the attack. To make the attack harder to stop, one could double or quadruple the number of query servers or use methods of masquerading your attack (I won't go into detail here) to keep network administrators from being able to shut down query servers. Another way to scale the attack is to use they heavier TCP protocol for most of the queries instead of the lightweight UDP.
fin.
The technology needed to exponentially increase the ability of the root servers to perform is not out of reach. With the proper motivation (a DoS like I described), one million dollars of capital (compare $1m to the current valuation of NSOL), and perhaps 30 man-weeks of time, one can make a farm of servers able to handle two orders of magnitude more requests than the current set of servers.
The IBM server announcement by Network Solutions disappoints me. It's sad.
Any of the following are good candidates that I know about for scalably solving root DNS infrastructure problems...
- UltraDNS - DNS service provider with an interesting spin on distributed scalability
- Nominum - the knowledge and knowhow to make fast scalable DNS servers and software
- Akamai/Sandpiper - a distributed operations infrastructure onto which one can install root clusters.
One can also implement interesting filters on such a proxy server to reduce the effect of stupider resolvers or lame DoS attacks.
--
Eric ZiegastPS: Slashdot probably isn't the best forum for this, but if you know a better forum, feel free to point them toward this post.