Slashdot Mirror
98% of DNS Queries at the Root Level are Unnecessary
LEPP writes "Scientists at the San Diego Supercomputer Centerfound that 98% of the DNS queries at the root level are unnecessary. This doesn't even take into account the 99.9% of web pages suck or are unnecessary anyways. This means that the remaining 2% of necessary DNS queries are probably not necessary either."
99% of slashdot posts are unnecessary.
About 12 percent of the queries received by the root server on Oct. 4, were for nonexistent top-level domains, such as ".elvis"
Now there's your 2 percenter right there!
Life is the leading cause of death in America.
And they assumed the other 12 were exactly the same? Wouldn't looking at 2 at least be merited?
i guess slashdot accounts for 2% of the queries ;-)
On a similar note, I noticed that AOL causes a lot of DNS lookups. From what I can see from my firewall logs, each TCP connection from an AOL user is handled by a separate proxy. Each proxy then does its own lookup on the host. So, for a normal sized webpage with some images or whatever, you get like 10 TCP connections for the content and 10 UDP connections for the DNS lookup. Seems kind of excessive to me.
Real man know IPs.
After all, DNS is fundamentally a non coherent protocol ... and as such relying on caching too much is inevitably going to cause pain.
Might as well put the pain at the root, it is their responsibility.
How can they tell? Wouldn't they have to actually look at the page itself, instead of the DNS request for a site?
Ah am not a crook! (\(-__-)/)
That's a thought! But we'd have to create servers for .vim, .pico, and .emacs as well...
98% of the DNS queries at the root level are unnecessary. [...] This means that the remaining 2% of necessary DNS queries are probably not necessary either."
Uhh... right, eliminate 100% of the root queries, they aren't needed..
sheeeesh..
Trolling is a art,
This whole DNS things is totally archaic and should be replaced by a P2P type system. And while we're at the subject - changes should just be propagated from one machine to the other as they occur, this way I could change my IP address and the very next day (or so) EVERY server running bind would be updated. Hey, I'm flamebait, I know - do you worst ;-)
http://ucsdnews.ucsd.edu/newsrel/science/sdscRoot. htm
Who is doing the work around here?
The population of the United States was 180 million at the time of writing, but there are 64 million over 60 years of age, leaving 116 million to do the work.
People under 21 total 59 million which leaves 57 million people to do the work.
Because of the 31 million government employees, there are only 26 million left to do the work.
Six million in the armed forces leave twenty million workers.
Deduct 17 million State, county, and city employees, and we are left with three million to do the work.
There are 2,500,000 people in hospitals, asylums, and treatment facilities leaving half a million workers.
However, 450,000 of these are bums or others who will not work, leaving 50,000 to do the work.
Now, it may interest you to know that there are 49,998 people in jail so that leaves just 2 people to do all the work, and that is you and me, and I'm getting tired of doing everything myself!
S
Just my 2p/2 worth.
Matt Thompson - Actuality - Insert product here.
is it that hard to configure a firewall to explicitly allow outgoing traffic rather than allow all? It seems that everyone thinks that the only bad traffic is the stuff coming in from the outside...
It's no wonder these servers have so many problems - there's thirteen of them! They need a lucky #14 - a Bilbo Baggins for their horde of dwarves. That'll stop those DoS attacks and unnecessary requests right away!
This doesn't even take into account the 99.9% of web pages suck or are unnecessary anyways.
What standard is this based on? My website wite sucks and is only necessary for my own amusement but it is similar to my favorite kind of sites on the web. I would use the web a lot less if it wasn't for those 99.9% of web sites. Most blogs, for instance, suck and are unnecessary but at the same time the total of all the blogs is having a big impact on news outlets and the media.
FoundNews.com - get paid to blog.,
Scientists at the San Diego Supercomputer Centerfound that 98% of the Slashdot comments at the root level are unnecessary. This doesn't even take into account the 99.9% of Slashdot stories that suck or are unnecessary anyways. This means that the remaining 2% of necessary Slashdot comments are probably not necessary either.
From the article:
"Researchers believe that many bad requests occur because organizations have misconfigured packet filters and firewalls, security mechanisms intended to restrict certain types of network traffic. When packet filters and firewalls allow outgoing DNS queries, but block the resulting incoming responses..."
It's nice to see a story with info I can take and use. This is actually "stuff that matters".
Kudos to the researchers, and now I am off to check my firewall.
There are 01 kinds of cars in the world. The General Lee, and everything else.
Is it just me, or is this a description of a reverse lookup? How does that qualify as unnecessary? This is a pretty common step in troubleshooting, and some software does a reverse lookup following a forward lookup to verify that the hostname it gets back is the same one it started with.
Chuckles
I see this kind of thing all the time on /.--completely unedited, barely literate, rant-style submissions. Why don't the /. editors tone down or eliminate the rhetoric from submissions about otherwise worthy topics, or at least fix the grammar and typos?
I know, I'm going to get blasted for saying this, but I'm convinced it's one of those "little things" that makes /. look to the rest of the world more like a bunch of know-nothing kids typing at each other than a group of technically literate activists with something of value to contribute.
I now return you to your regularly scheduled rant...
Why don't DNS servers have a list of correct top-level domains, in order to answer directly, without going to a root server? The list is short, compared to the information the DNS server caches already, and the content of the list doesn't change so often. This list could be downloaded once in a day or so, from the DNS root servers.
When packet filters and firewalls allow outgoing DNS queries, but block the resulting incoming responses, software on the inside of the firewall can make the same DNS queries over and over, waiting for responses that can't get through
Why the hell does a firewall accept outgoing queries to black-listed domain names, if they are configured to block the response to these queries? This seems like a serious misconception to me.
JB.
I think the Cooperative Association for Internet Data Analysis (CAIDA) should requisition a new acronym, or run the risk of George W. (or one of his amphetamine crazed pilots) bombing the fuck out of due to that CAIDA - QAEDA similarity...
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
74.4% of all statistics are made up on the spot.
"If anyone needs me, I'm in the angry dome."
...So I guess most of those unneccessary top-level DNS requests were for www.clownpenis.fart, right? We chuckled when it was on SNL, but now... alas, it brings out beloved internet to its knees...
Now I get it.
So I guess there IS such a thing as a stupid question...
"Scientists at the Vatican Praying Center found that 98% of the prayer queries at the God level are unnecessary."
Speaking of unnecessary dns lookups.. am I the only person who's spending 5 seconds on every page watching jerky animated msdn subscription banner ads creeping in whilst the slashdot text remains blank waiting for the ad to finish?? What is up with that?
All mine are important.
The entire freakin' Internet is unnecessary. Handy, sure. Occasionally useful. Necessary, no.
Would be that ICANN could be split into ICANN.com, ICANN.edu, ICANN.org, ICANN.ca, ... without much difficulty from a purely technical perspective.
"Provided by the management for your protection."
I dunno, I'd think there's some wory over the CAIDA/CANADA similarities too, with the mistaken bombing last year...
And that's a problem? My understanding was dealing with this sort of thing was exactly the purpose of the root DNS servers. If every ISP's DNS server was pre-configured to recognize valid and invalid top-level domains, you could just set them up to go straight to the specific DNS servers handling those domains (.com, .net, .org, etc.) There would be no need for a root-level system.
The argument for allowing this kind of cracked query through to the root server is that it makes it easy to add new domains (.elvis, .corp, what have you) without forcing everyone to reconfigure their DNS boxes for each new top-level domain.
actually only 50% of Slashdot posts are unnecessary but some of them are exceptionally time-wasting (some get as many as 1 negative mod points) so the equivilent of 99% are pointless.
So you are planning to remember the 128 bit addresses for all the sites you are going to use in the future?
Ummm... what does IPv6 have to do with DNS vanishing? With 128-bit IP addresses in an ugly hex-colon notation... DNS will be even more important when people move to IPv6.
The problem with DNS (and SMTP) is that they are protocols developed during a time where everyone on the internet was operating in a cooperative mode. Now that there is a proliferation of SPAM and DOS attacks, these old protocols break down because they were not developed with security in mind.
DNS will not go away. But the protocol will probably change at some point.
--
"What do you want me to do? Whack a guy? Off a guy? Whack off a guy? Cause I'm married."
Actually go deeper than that...what really needs to happen is a redesign of the underlying core of the whole damn thing...DNS, DHCP, and Routing need to be combined into a single protocol and server implimentation(already particially have that in DDNS)...but taken a step further(and I am being intentially light on details here, since its a huge subject) it would make the whole thing easier esspecially in todays world where everyone and thier brother has a web site (or other service) attached to their cable/DSL line, and they can't get a static IP and never mind getting IPs they migh own routed behind that IP to the rest of the world. One protocol that could publish IP/Domain Name/Routing for the whole shooting match through a rooted, treed and P2P system...(The root maintains order, tree allows clients to work backwards through the tree till they find the information they are looking for till they hit the root, the P2P moves updates around with sequence numbers probably in MD5 ro something to maintain chronology)...this is by no means the full idea, but might be a good seed....
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
This story is patently untrue.
- Oisin
PGP KeyId: 0x08D63965
The end says "That leaves just 2 people to do all the work; you and me, and you just read slashdot all day!"
:)
(replace slashdot with email as appropriate.
What time is it/will be over there? Check with my iPhone app!
I see how the article describes the problem, especially
"About 70 percent of all the queries were either identical, or repeat requests for addresses within the same domain."
What I don't see is solid suggestions for improvement, except for indirect suggestions to name server operators to clean up their act. Perhaps the root servers could be made smarter, or buffered, so that the root servers cache the repeat requests and return a response before the root name server has to handle it. Maybe the root servers should just refuse to honor the most common unnecessary queries. That might set off alarms in the lower level DNS servers, which could get some real action across the board.
Sometimes I worry that I'll develop Alzheimer's disease, but no one will notice.
1. Bad request received by a root server
2. Root server notices it's of the 'non-existent top level domain' variety.
3. Root server sends back information pointing to an ip that shows a web page with a nicer version of 'either you clicked a FrontPage created link, you are a monkey banging a banana on the keyboard, or your ISP administrators don't have a clue'.
Advantages: It'll embarrass ISP's. It'll cut down on the traffic to the Root Servers.
Disadvantages: It'll only be noticeable with web queries.
This is not a dream, not a dream...we are transmitting from the year 1-9-9-9.
DNS *does* suck! I mean, who wants to go through all of the trouble of laboriously remembering and typing "slashdot.org" in a browser when they can much more easily remember and type in "234.54.197.233.90.222"?? I pray for that day, also.
How about coming up with a DNS Moderation system.
The root servers give say 50 karma points to each IP address issuing a query.
If the query is unnecessary, it gets modded "-1 redundant".
When karma hits 0, it stops responding to further queries.
DNS eventually stops working at that site, admin pulls head out of ass and fixes the problem causing the redundant DNS queries.
Beauty is in the eye of the beerholder.
Huh?
Maybe I've been asleep at the wheel when it comes to all of the advantages of IPv6, but how on earth does it alleviate the need for a functioning DNS service?
Do you imagine that it will somehow be easier for people to remember IP addresses that are 128 bits in length than it is to remember them in their current 32 bit dotted decimal form?
I guess these will be what we have to look forward to in your DNS-free world of the future:
Riiiight.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
Because you will be able to encode the names by hex value, .com will be 2E:63:6F:6D, so no need of DNS. :P
One factor is that I suspect people are increasingly lowering their TTL's, expires, or whatever that parameter is. Most of the manage-it yourself DNS providers now allow an option toreduce that to a few minutes, which makes it much easier to move hosts around. And while a low setting increases DNS traffic, it rarely if ever incurs an extra cost to the domain holder.
It obviously seems to be a lot of junk traffic, but the only part we can say is bad requests are part 3 and 4 from the chart. Bad spellings must go to the root since there may be such domains!
It would be nice to analyze the 70% repeated or identical queries, probably lots of traffic can be explained for (or else there are a bunch of administrators out there who need a good manual on bind).
Scientists at the San Diego Supercomputer Center found that 98% of the remaining (necessary) DNS queries are related to porn websites!
2. The amount of time it takes to set up DNS correctly and effeciently with the existing products, especially BIND, is a lot more than it takes to just get them functioning.
3. The research would have been more interesting if they had gone and looked at say 1000 random requestors who where doing things screwed up and find out why and how they were screwed up.
4. It would be nice if the local DNS servers had a list of valid top level domains so that it would kill requests to non-existant ones.
THAT would be stuff that matters!
None of the internet is necessary. We could all go back to living in the trees if we wanted. After you...
This is my World Wide Web of Whatever
My website is awesome... it has.... ummm stuff on it.
I'm surprised that they did not mention massive numbers of "broken" requests from Windows 2000/XP systems. I see this all the time due to misconfigurations. Administrators often set up the Windows 2000 DNS servers incorrectly and Windows 2000/XP systems(workstations and servers) configured such that they constantly try dynamic DNS updates to the wrong DNS servers, even the root servers.
Linux too, has some issues here. Obviously misconfigured DNS servers will always be a problem but, distros like Red Hat have IPv6 support compiled into the BIND RPM, this results in an IPv6 formatted query folllowed by an IPv4 query for every request.
Breaking news:
Glaciers of dog pee in Manhattan streets.
Post responses to 66.35.250.150 (I'm sure you can figure this out).
Yesterday I querried the root servers once a minute to see if they had been updated. Why? Because Network Solutions screwed up and transferred a domain that I manage to their own name servers; I had to put a request in to change it back to our name servers and wait, wait wait. I wonder how common that is :)
This is somewhat of an invalid metaphor for both the way dns works, and the way computer caching works. Pretty much every local DNS server(unless my information is wrong), has some sort of caching system of varying degrees of efficiency. The problem is that unlike humans who are more likely to remember things if they are repeated, caching usually just consists of a series of entries which can quite easily be overwritten, older entries will be overwritten if they aren't updated or caching would never work for new frequently accessed sites. It's quite easy to get an access pattern which would remove even the most frequently accessed files from a list especially on a server with a great deal of users. By providing different servers for each chunk of users you can diminish this problem but then you'll get requests from each server. DNS is an ugly system because it does and ugly job.
My ISP seems to not realize that some people want to do more than check local mail and sites. On my old win95 pc it would actually lock up eudora when it tried to pull mail from my nonlocal pop3.
I've been searching for a solution to this for awhile, perhaps using some other dns servers than what my isp specifies.
I wish it embarassed my ISP, but since they don't answer thier email, they probably don't care.
But I missed the search button in mozilla and sent out an invalid http request instead. But if I were serious it's nice that mozilla tries to quess what I wanted to do and generates a bunch of other invalid adresses.
This message seems to have the same kind of logic :
as the following
Since 9 projects out of ten are bound for failure
why not cancel those 9 projects?
That's a local problem, between the user and AOL's DNS servers. The article is descibing a different, higher-level problem between, for example, AOL's DNS servers and the root-level servers. If an AOL user's machine makes ten DNS requests for the same host, only one request should propagate past AOL's nameservers, but instead a misconfigured DNS will propagate all ten.
I can suddenly see lots of slashdot users thinking-- oh, I should fix my firewall, I have all these DNS requests; but that's normal operation for a client workstation. Your firewall would be broken only if all your DNS queries failed, and you'd know it pretty fast if that were the case.
So long, and thanks for all the Phish
It all comes out in the end anyway. Say AOL has 100 proxies. If 10,000 AOL users visit your site, then it'll look like only 100 unique visitors. Granted this is more than the 1 unique visitor that it would look like for most proxies, but it's still less than the actual number, not more. Presumably there are significantly less proxies at AOL than there are users. It only really matters to small sites like yours and mine, where we're getting excited about each and every visitor, and 10 all at once makes us need a new keyboard.
Is there a performance increase in using OpenNIC? Or a noticeable one anyways?
:-)
As long as they don't support new.net, I'm switching over
I'll have something intelligent to add one of these days...
To do a reverse lookup, the resolver sends a different request type, asking for a PTR resource record. The form is to put the IP address (or network address) backwards, and append
If you have your own DNS server and watch your DNS traffic, you can see these two effects happening differently.
For a forward (A or MX record) lookup:
Local server queries root server for an A record
Root server responds with NS record for the registry of the domain
Local server contacts registry server for A
Registry server responds with NS records for the domain
Local server contacts the domain's server, which responds with an A record
Local server answers the resolver with the A record.
For a reverse (PTR) lookup, the resolver traverses the netblock providers:
Local server queries the root servers with a properly constructed PTR request (z.y.x.w.in-addr.arpa.)
Root server knows only where major net blocks are allocated, and returns the NS record of a Regional Internet Registry (RIPE, APNIC, etc)
Local server again queries an RIR NS with the PTR
RIR NS knows which ISPs hold which blocks, so responds with the ISP NS record
Local server again queries the ISP NS server, which either has the reverse hostname, or once again returns the NS record of the the local DNS server.
The two different types of queries follow different paths, either Name Registries or Netblock Providers. This article points out that many resolvers are broken because they allow obvious reverse lookups to pass as forward lookups, and then can't deal with the resulting error messages.
I have often seen broken resolvers repeatedly query DNS servers I manage, possibly because as the article points out, fucked firewalls allow the requests out, but block the requests from getting back to the resolver. It happens so much I just ignore it when I see it, its not worth notifying the admins because they are usually too clueless to know how to fix the problem.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
So please send all you CPU to me!
(Duh, of course we don't need it but it's nice to have!)
If the First 98% are unnecessary and the last 2% are unnecessary as well...that's 100%...
That means that you just explained and wished for the Internet to go away...
or...you some how figured out how an end user can magically come up with the IP for a Host name from thin air. Go You. Your a Millionaire.
www.fotoforay.com
Hey, the hex-colon notation isn't ugly. It's butt fugly. I mean seriously, to generate a colon on any standard keyboard, you have to hold shift and hit the semicolon key. Worse, you can't use the number pad for quick entry because there are a bunch of hex digits in there as well (plus there's no colon on the digit pad). Despite all of the talk about never needing to input an IP address again with DNS, we all know how often you are forced back to the ip only world when things go wrong.
Oh well. The avalance has started, it is too late for the pebbles to vote.
I read the internet for the articles.
Really, we should have some sort of gnutella-like system for distributing zone files. The problem with DNS is that it was designed a LONG time ago before the more recent advances in P2P networks.
There shouldn't be much argument at this point that we need DNS2 - the current system is vulnerable to attack.
The problem is that, if you distribute zone files (or pieces of zone files) among a loosely-connected network, then you will need to establish trust. These zone files would have to be signed, and the certificate authority then becomes the bottleneck.
It hurts my head.
[slides slowly toward door]
So you want to combine protocols from 3 different layers of the network model, and not even adjacent layers at that?
[eases door open]
And you want to do this because many ISPs might consider there is some value to a static IP and charge you more for it?
[briefly mourns impending demise of DirecTV DSL]
Riiigghht.
[dives out door, slamming it. runs for thorazine dart gun.]
the press release only scratches the surface. for more information, have a look at the NANOG presentation from October 2002
The Internet was shown to be a scale-free network by U. Notre Dame physicist Barabasi. It means that the majority of the Web Page Requests is only for a fraction of the total Web Pages (the 'hubs').
Thus the 98% DNS Queries might be needed for only a minority of connections (I am assuming that Web Traffic is the bulk of Internet Traffic here).
Repetitive queries from the same nameserver in rapid succession, full-blown email addresses, search engine queries -- those are unnecessary, illegitimate queries that indicate not only bad nameserver configuration, but also bad application software. How many assorted DNS query permutation tricks have the various versions of Netscape Navigator tried over the years?
It should be a pre-requisite to remember each and every ip address before accessing the internet. :)
Problem solved.!!
do this now:
/etc/hosts
host slashdot.org | awk '{print $4" " $1} >>
2 1337 4 u!
yes, but now everyone's IP can look like:
: ::be:a:beef:ace
3ffe:10d7:::dead:beef:cafe:babe
and
2001:234d
what exciting words and numbers can you come up with 1234567890ABCDEF!
The parent is exactly right, I wish I had some mod points!
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
This is slashdot, after all...
Look at the actualanalysis:
We also made an attempt to identify problem-prone end user applications. Our analysis helped to find and fix a bug in Microsoft Win2k resolver.
Reverse lookups go by sending a PTR request containing an IP address to a DNS server, versus a A request with a name as a snippet from this TCPdump shows a request from one my boxen to my DNS server:
Reverse:
12:59:31.814847 defender.licensedaemon > gimpy.domain: 20091+ PTR? 1.65.0.199.in-addr.arpa. (41)
12:59:31.816003 defender.1029 > arrowroot.arin.net.domain: 19500 [b2&3=0x10] [1au] PTR? 1.65.0.199.in-addr.arpa. (52)
Forward (complete request cycle from defender to gimpy):
13:11:54.760484 defender.globe > gimpy.domain: 47604+ A? www.gtei.net. (30)
13:11:54.761597 gimpy.1029 > dnsauth1.sys.gtei.net.domain: 51438 A? www.gtei.net. (30)
13:11:54.977584 dnsauth1.sys.gtei.net.domain > gimpy.1029: 51438*- 1/3/3 A 128.11.42.31 (167) (DF)
13:11:54.978626 gimpy.domain > defender.globe: 47604 1/3/0 A 128.11.42.31 (119)
DNS & BIND is the first book to use for more info, though.
// Agent Green (Ian / IU7 / KB1JQO)
// IEEE 802.3: All 10base Are Belong To Us
A DNS query for an IP address is a *BAD REQUEST* contrary to what some of these other posters have said. Asking a root server to resolve anything in the first place, is bad - they should only be asked for NS records - and in the second place, an IP address is not a valid domain name (unless ICANN has serripitiously added 256 new top level domains, namely, the numbers 0 thru 255).
Most networks that I've seen, are badly broken this way. The usual problem is that the network in question may use private address space (192.168.1.0/24 for example), but fail to install reverse dns for these addresses, causing delays and other problems when machines try to get the name associated with their ip address or that of a local machine connecting to them. Yes, you heard right - if you use any of the 192.168.x.x, 10.x.x.x, or 172.16-32.x.x addresses, you are broken unless you install dns to resolve for those addresses! This also goes for any ip netblock in general, although most isp's these days are setting up dummy records for their unused ip space that'll cover their customers allocations ok.
I love hearing the life story of Taco, and I think every Slashdot reader should see this.
The SDSC is a part of UCSD, so whatever comes from one comes from the other. Both have huge amounts of bandwidth. Of course, most of you probably aren't connecting to them by Internet2, so if it gets Slashdotted, it is for that reason only.
Let me get this straight. This is a study of DNS conducted by CAIDA at SDSC at UCSD? I need a host list for these acronyms!
Linux at home
3 3 3
While you gripe about the notation of IPv6, you offer no alternative.
This doesn't even take into account the 99.9% of web pages suck or are unnecessary anyways.
Who said that root calls were always about finding web pages (poor or not)?
So long, michael. Don't let the door hit you...
You haven't seen unnecessary until you've seen how our high school's network is set up... I tested it one time, by setting up Ethereal on a single client PC, in a computer lab. I captured over 1000 packets in about 20 sec. (This was while I was doing nothing network related on the test PC.) Most of the packets were DNS lookups. Pretty sad when a computer in the front of the room has to pass a DNS query through the computer next to it, just to get a response.
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
I'll bet a large percent of the queries, especially for bogus top-level domains, are due to lookups by MTAs when receiving SPAM. Think of the numbers!
This doesn't mean that even these queries shouldn't be handled better -- just that SPAM lookups cause a bunch of 'em.
Well, apparently, you only have to fool the majority of people for a little while.
Checkout both Sympatico and Rogers here in Toronto. You can switch ISPs, given you manually entered the DNS, and it works.
We discovered this in Pakistan, when the national ISPs (Paknet) DNS servers would go down. We would keep a list of IPs of DNS servers from ISPs in the USA, and just use those. They'd work 90% of the time.
This is a problem for a couple of reasons. To begin with the DNS tree gets more complicated as some computers might retain old DNS IPs across ISPs, and its simply not designed for this. Its an example of bad System Administration.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
... if you want something done right, just DDOS it. Then as we've witnessed here, many months later *coff* genius *coff* scientists will find a way to improve efficiency by 98%!! Why, oh why, do we keep bashing | 31337 skr1p7 |1dd13s?! Everyone in society is needed, even the lame. :P
No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
Now think about this. Only 2% are valid queries, while 98% are invalid. Let's say the average client (or recursive DNS server) makes 1 invalid or malformed query for every 1000 queries which seems like a good number. That means that only 0.002% of valid queries have to go through the root DNS servers. The seems like a great design if you ask me.
ÕÕ
$ ./bogus-request-generator^C
$
There. I hope you're happy now!
I use "66.35.250.150", what internet are YOU using?
Meet new people, and kill them.
The poster mentioned how much better IPv6 would be, which is designed around having 6 numbers (255*255 more IP addresses). So yes, with just IPv6 and no DNS, you would have to memorize 6 numbers for each web site.
This happens every time I run out of mod points.
plz someone mod parent as funny.
Looks like a joke to me.
I can't truthfully say that I noticed a performance difference, but let's say that it seems that there should be. (a difference here and there can add to an entire experience) Anyways, I've had a Tier 2 Opennic server for awhile now and I've been happy with it. Also, looking at the root zone via a text editor can be interesting to see where all of the TLDs point to. Don't forget that you have much more access to other TLDs that ICANN doesn't endorse since Opennic peers with other namespaces.
who are not half as smart as they like to think they are.
.elvis does not exist is CRIMINALLY NEGLIGENT. How hard is it to put the little text list file in every DNS server?
SURELY in any application that deals with a ton of data, a maelstrom with which they can hardly keep up, the *first thing you do* is filter out every single possible malformed and nonsensical processing item so you don't have to process it.
And what you DON'T do is kick anything that doesn't make sense upstairs. What were they thinking?
And THIS - the fact that a DNS server - A DNS SERVER! - doesn't know that
WHAT THE HELL WERE THEY THINKING????
Mod me down, take your best shot. JEEZ those Unix snots burn me up.
It's Christmas everyday with BitTorrent.
It would be nice if the local DNS servers had a list of valid top level domains so that it would kill requests to non-existant ones
what happens if I set up my bind so it firstly queries the normal ICANN approved TLD, then use say Pacific Root's root server for unofficial TLD's. Now if i query for bbc.news, the official root server say non-existant while Pacific root happily sends me on my way to the BBC's news site.
I know that things will work better if I convice my ISP to use Pacific Root TLD'snot in the normal 7 TLD's and use their properly configured, richly cached DNS server for a fast response but they're boneheads and who cares if the root servers are jammed with bogus requests?
Apocalypse Cancelled, Sorry, No Ticket Refunds
ummm.... no
234.54.197.233.90.222
MODERATORS: WARNING! GOATSE.CX LINK!
lame ness filter. yeah yeah yeah.
Absolutely right. I was looking at an older, unused mechanism for doing reverse lookups that includes an "IQUERY" status in the header. The actual mechanism is as you say-- it's actually a QTYPE=PTR message and the addition of in-addr.arpa to the IP address.
Leads to the same conclusion, though. Sending an IP address without the QTYPE=PTR and in-addr.arpa add-on is pointless and wastes server bandwidth.
Oh. you're just scaremongering. Everyone knows that you'd write that as http://[1080::8:800:200C:417A]/index.html
Like that would be hard to remember. Pshah.
...cheap H1-B sysadmins, maybe they'd be configured better!
Actually, I've always had a theory that Microsoft coined ".msn" because they wanted to get their own top level domain.
It's not wasting time, I'm educating myself.
Clue 1: It's not the root servers which don't know that .elvis does not exist.
Clue 2: It's not the unix snots who wrote the software doing those queries.
Given how often people say "DNS server," why not drop the redundant "S" to save bandwidth?
"[...] 98% of the DNS queries at the root level are unnecessary. This doesn't even take into account the 99.9% of web pages suck or are unnecessary anyways." Don't forget to factor in 'bots, which comprise maybe 75% of all web traffic. It's a self-sustaining system; in fact it may well behoove the likes of Sun to crank up a few thousand automated crawlers, just to tweak the numbers higher still.
I would also bet that a significant percentage of the bogus domain lookups are due to spam. However, I'd bet a significant percentage of those are due to moron recipients trying to follow up on the spam.
My company was deluged awhile back by people requesting information on our "new money making scheme." Turns out that they were all replying -- by email, fax, web hits, and telephone -- to a single piece of spam sent by some other dumbass that used our domain.
Yes it is. All ISPs use UNIX or UNIX knockoffs for all their server and routing hardware. All the people responsible for this stuff are UNIX techs.
You don't know what you are talking about, so you rant.
.elvis DNS request. ICANN might decide to open up .elvis registrations tomorrow and program the root servers to respond to them. If every DNS server had to be reprogrammed every time a new TLD was added, it would be a maintenance problem whenever the TLDs were expanded.
There is nothing malformed about a
The elegant part of the design was to define the protocol to look up unknown TLDs and unrecognized TLDs at the roots. It didn't anticipate a few million monkeys typing search terms into browser address lines.
The fault for the excess lookups lies in the applications programmers.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
Except that you find your ISP's cache is either configured wrongly, out of date or just plain doesn't work. Maybe using the root servers is bad netiquette, but I'd rather that than have users maoning at me because adresses won't resolve because someone at the ISP doesn't understand DNS.
Resistance is futile. Reactance buggers it up.
Uhm... if my DNS server returned errors because it assumed a domain on my LAN didn't exist, I'd break somebody's head. My DNS server manages domain for seven boxen that make up a network of web services I'm developing. Since cleetus.renderweb is handled by my DNS, which runs essentially the same code as almost every other DNS in the world, there isn't a problem.
.com, or .net, too, don'cha?
Betcha think that your browser should complain if you don't give it domain that begins with www. and ends with
I can think of some important things to consider about the interaction of your network and root servers.
.GPRS used for 3G phone networks (example) might be also query the wrong root level servers.
/etc/hosts file to pretend you have DNS on a nat'ed network. dnsmasq on freshmeat is very nice choice.
1. Some 3rd party DNS programs, like NetIQ and Preside. Require you to have root servers configured. Some will even break if you put false root information into it.
2. All unknown queries are sent to root servers, like your DMZ'ed networks. (Depends on your software has failsafe mode, but Bind can be disabled.)
3. Other TLD's are queried by the root domains.
4. With the security being a hot topic, networks are switching from recursive lookups to iterative mode. Which makes for more visible lookups on a network sniff by increased traffic.
Also, you can offload dns on your home networks by using a local dns server. Really handy, caches lookups, saves bandwidth, easier to setup than bind, and can use your
fucked firewalls allow the requests out, but block the requests from getting back to the resolver. It happens so much I just ignore it when I see it, its not worth notifying the admins because they are usually too clueless to know how to fix the problem.
or, even better, the clueless admins email abuse@your.domain some firewall log snippet complaining that your name servers are attacking them with UDP packets!
i think he's pretty much offering IPv4 as an alternative.
"a little text file on every DNS server"
.everything .in .the .dictionary .except .the .top .name .domains?
Must be "a windows Guru" to make a comment like that. So what would you put in this file?
Yeah, that's a little text file.
Ok, I know the details of the MS Resolver not doing queries to the nameserver correctly...and I understand the motivation for wanting to make a cleaner healthier internet. I even accept that maintaining the root nameservers isn't necessarily (to my knowledge) directly rewarded monetarily.
When do we get to the point that the root nameservers accept their place on the internet as the starting point for looking up people. This is similar to 411 or a phone book. How many times have you looked up a phone number to find out it was an unlisted or wrong city number.
I agree with them that code should be cleaner and traffic should be cleaned up, but a lot of the reporting coming off of these articles tend to sound like whining.
I don't blame the researchers, or the root nameserver maintainers for this. It's just something to keep in mind.I have to deal with spammers and open relays most days. It's my job! I signed up for it.
This space intentionally left blank.
98% of root DNS queries are probably for pr0n sites. Those are *not* unnecessary queries!
Watch this Heartland Institute video
Why don't we just shut down the root servers then? Surely there's no point in keeping them running for a measly .1% of requests.
The (Hopefully) Great Slashdot Blackout Apr 21-27
--OK, my brane hurts now. I read the whole thread. Will someone please explain to a non isp admin level person WHAT exactly a single lone luser should do to "help out" and to also make it so their own surfing queries can be automagically parsed to IP numbers, thereby eliminating the "load" all this "looking up" business does? So far I see "name server". Note I *think* I understand it, but up to a dozen open pagesnow telling me I got to do this and that and every other word is an acronym. Or should I bother? My idea is I want my frequently accessed pages to be guaranteed to be in IP number form so that if/when/who knows something happens to the net I still got a chance to get from point A to B. The other part I get is "bind sucks", I have that on my redhat install, so what else should I do (use), with the caveat it has to be a simple as possible, and this is a dynamic connection on a modem.
Thanks in advance for any coherent non troll replies!
IPv6 addresses are 128 bits in length, unlike IPv4 which are 32 bits. That means there are 2^96 times as many addresses, or 255 * 255 * 255 * 255 * 255 * 255 * 255 * 255 * 255 * 255 * 255 * 255 times as many. IPv6 addresses look more like this:
182a:92b:425c:af39:3:10b7:5253:0
(note that I made this address up randomly)
Not sure what IPv6 you're talking about...
I know the zone doesn't change all that often, and you can get it by FTP (example, here, but, I wouldn't want a stale copy of the zone mysteriously borking my networks.
TIA
--
There is no hatred more pure and true than that expressed by children.
While it's true that many admins are clueless, there is not question that DNS servers should be easier to setup.
I don't consider myself completely clueless. I have set up many DNS servers over the years and I find it painful every time. The bind config files are stupidly complicated (much like Sendmail) for simple setups and require way too much knowledge about how bind works. DNS server setup should be a point and fire operation not an exercise of Einstein proportions.
Maxwelld is a daemon process that governs a small gate. For all queries that suck, maxwelld closes a tiny gate. Whenever a query that doesn't suck comes along, maxwelld opens the gate. Only the important and necessary queries are allowed through. This does not violate the laws of entropy. Physicists believe that the inverse entropy generated by this process is radiated into the Murphy field.
I thought it was 73.3 percent ;)
Cover your eyes and click this link!
if everyone could just remember the ip's of their favourite sites then there wouldn't be any need for DNS at all!
I've had Slashdot's IP in my signature for months. All I have to do is go to slashdot.org, log-in, view my post history, and select a post I've made. Then, I click on the IP link in the sig and there! I'm at slashdot!
Cover your eyes and click this link!
My experience with Apache tells me that, when using name-based virtual hosting, if you send an HTTP/1.1 request without the "Host:" header (btw, you're browser puts this in when you visit a site based on DNS hostname anyways, after resolving it's IP and connecting to that as is normal), Apache returns the site configured in the first 'VirtualHost' block in your 'httpd.conf' file.
Pete
That's fine as long as you don't want to run your own private tld for your own network, I've done this severaltimes, .yourcompanyiesinitials .acme etc. this works well for intranets where you don't want to have to remember or type long huge names and makes it easy to add more detailed info ie. 2500.router.hq.acme 1900.cataylst.hq.acme ibmthinkpad1.workstations.hq.acme spark5.hq.acme, firewall.acme honeypot.acme
It's makes an easy naming sceme for your network and provides lots of details. And you can always also serve a real internet domain and have your smtp server use the external real internet domain for any mail leaving the intranet.