Slashdot Mirror
Will Vista Overload the DNS?
Jamie Northern writes, "Thanks to new directory software, Windows Vista could put a greater load on Internet DNS servers. But experts disagree over whether we're headed for a prime-time traffic jam or an insignificant slowdown. Paul Mockapetris,inventor of DNS, believes Vista's introduction will cause a surge in DNS traffic because the operating system supports two versions of the Internet Protocol (IPv4 and IPv6). David Ulevitch, chief executive at OpenDNS, a provider of free DNS services, said Vista's use of IPv6 will not disrupt the Internet at large. 'DNS can be improved, but predicting its collapse is just spreading FUD.'"
There would be no news....
Undetectable Steganography? Yep, there's an app fo
just friggin deploy ipv6
Linux and MacOS X are both capable of having both IPv6 and IPv4 stacks, and in many cases this is active by default. Why would Vista cause any more problems?
If you have a good setup then you will have a lookup cache on your local machine storing both IPv6 and IPv4 addresses for each site. Therefore only one lookup should need to be done.
Jumpstart the tartan drive.
Well...It should be set to use either ipv4 OR ipv6 correct? Or is it set to use both depending on what network it is interacting with? The amount of traffic will increase but it shouldn't increase to the point of dns servers crashing constantly. The fact that ipv6 is implemented at all is great, because it's time to move forward, but I can't see this putting an excessive load on dns servers.
To understand recursion, one must first understand recursion...
For a guy who "invented DNS," he sure doesn't seem to have much of a grasp of how the current DNS infrastructure works.
First off, most DNS servers are very lightly loaded. DNS in general doesn't take a whole lot of traffic (relative to other protocols), and most DNS servers are way overpowered for what they need to do.
Secondly, as the article states, Vista is not going to just blindly do two queries, one IPv4 and the other IPv6, for every request. It is a little more intelligent than that (shocking, I know). For systems that don't have an IPv6 address (which will be virtually all of them given the current adoption rate of IPv6), no IPv6 DNS queries will be done at all.
Linux and other Unix-like OSes have supported IPv6 for years, and they haven't managed to kill DNS yet. Most Vista installations, like most Linux installations these days, are going to have IPv6 disabled anyway, so this is not going to have any real impact at all.
Only unless the majority of the computing world switches over to Vista in a major hurry - I doubt that even in 2 years the majority of the Windows based pc's will have migrated....
When Vista comes out, it will be introduced gradually compared to the millions of installed Win98/NT/XP systems.
It will take years until/if it reaches considerable marketshare. ISPs have plenty of time to upgrade in the meantime.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
This has to do with the necessary gradual migration from IPV4 to IPV6, and has nothing to do with Vista. Besides, only routers that support IPv6 will even route the DNS requests to DNS servers. If we want to switch to IPV6, every OS out there is going to have support both in tandem like this. You can't bitch about the slow adoption of IPV6, and then turn around and bitch again when there are insignificant consequences related to the transition.
I'm sure Microsoft will have a tool in the Network Setting applet, to upgrade DNS servers to be Vista compatable. If MS has a hand in the DNS servers, it will greatly improve interoperability.
Have you read my journal today?
... so that's what FUD stands for! ;)
That's just a bunch of meaningless technical jargain. They seem to forget that DNS overhead was down by 34% since last year and it's projected to drop by another 20% midway through 2007. So any 'slow downs' as they call them would be soaked up by the rent left from the overhead surplus. yingers
Why would Vista overload the DNS system? slashdot.org is already in my local DNS cache anyway...
Please correct me if I got my facts wrong.
Double the DNS queries are going to do: nothing.
IPV6 is among the most insipid and stupid inventions of all time, allocating a specific address for each atom in the universe (ok, not quite, but close) and does make things ugly. But even with its too-many-octet queries, it's not going to do much damage. Most queries are for LOCAL NETWORK information only. The rest get cached before a demarc point or a tie point.
So, this is much ado about nothing. And Vista isn't a culprit in any event (although I wish I could say it was)-- instead, it's the TWITS THAT BELIEVE THAT IPV6 is a savior.
Ok, I'm better now.
---- Teach Peace. It's Cheaper Than War.
They're like series of tubes. And if they don't understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Fact not everyone is going to upgrade to Vista overnight. Heck there are still people with 3.1 out there. Or 95 on Brand New Computers. Even if it does put a load on the DNS Server it would rise gradually over time, As people get Vista one at a time. By the time it would be considered a problem the DNS Server will probably just need an upgrade, and it will probably happen when the DNS upgrade is due. Vista is due after the Back To School and Holoday season so all the people who would rush to get the new OS will not as much as they are well trenched in their daily lives. Most mature and "smart" companies will handle the migration slowly to make sure there are no major problems with Vista and many will wait for SR2. Most users will continue using whatever OS they have on their computer until they buy a new one. So this sudden jump in traffice will not happen.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
While IPv6 will certainly give us all the IP addresses we'll ever need (until every nanomachine gets one), do we really want to do away with NAT? I've always considering NAT to be a blessing regardless of the scarcity of IP addresses. Not giving every user a public IP is a good idea, and as long as protocols don't try to do something silly like putting the IP address in the Application layer (seriously H323... why?) then NAT should always function as intended. Of course, IPv6 address are 4 times larger (bitwise) so I can see some increase in overhead, but not much.
Now, I'm all for M$ bashing, and I realize that they've made some dumb mistakes in the past, but I mean, seriously... Vista isn't the first OS to support both IPv4 and IPv6... OSX does. Linux does.
I can't imagine microsoft making such a horrible design mistake such as this. Shouldn't it be as easy as checking which protocol is being used before sending a request?
talk about FUD.
...spike
Ewwwwww, coconut...
Can we please get rid of this geek circle-jerk? IPv4 isn't ever going away, therefore, we will never transition to IPv6. (And please, tunnelling IPv6 over IPv4 is not a transition in any shape size or form. Wanna see my fidonet-over-IPv4 tunnel?)
Of course, Microsoft could ship an OS WITHOUT ANY IPv4 capability, then probably we'd see IPv6 deployed. Other than that, it's just another checkbox to fill.
So, many Internet providers have handled 1000% growths over the last few years, but they can't handle a doubling of DNS load over the time it will take everyone to upgrade to Vista?
Yeah right.
Any sufficiently advanced libertarian utopia is indistinguishable from government.
When working with response time instead of %CPU, the curve is quite different from what one normally sees.
It starts off level, at some number of milliseconds (mostly the round-trip time) and stays that way until the load hits 100%, then increases rapidly and without bound.
For example, if a lookup takes 1/10 second, it will continue to take 1/10 second until there are 10 requests per cpu per second.
After that a queue builds up, and the requests are delayed. Brutally. At a mere 100 requests/second, the delay is 10 seconds, instead of one tenth.
Now imagine that at the huge loads the DNS servers typically handle.
When someone says "they've hit the knee of the curve", he really means "they're about to fall in the toilet" (;-))
--dave
davecb@spamcop.net
I wish the resolver in Linux distros was as intelligent. It's a pain to keep the resolver, even with ipv6 disabled, from sending a quad A request to the dns server because some application has ipv6 support built in. It's probably the number one cause of the complaint of slow internet access among new linux users.
Toaster: "Well lets just hope you don't get an overload..."
Holly: "What if I do get an overload..."
Toaster: "You'll explode!"
It just to be that the Internet would bring down Windows.
Now Windows will bring down the Internet.
I guess revenge is sweet.
If memory serves, Microsoft had an IPv6 stack for Windows 2000 that you could download from Microsoft's research site. In XP, IPv6 is included, but is disabled by default. A single command enables it. My understanding is that in Vista, IPv6 will be enabled by default.
Honestly, we're going to run out of new IPv4 addresses to hand out in a few years. We need IPv6, and I think Microsoft would be foolish not to enable it by default in Vista.
Microsoft should pay the existing, independent DNS server operators to subsidize scaling for the traffic their products create. MS is making $BILLIONS off the Internet; they should reinvest more in its infrastructure.
Senator Stevens, is that you?
I'm sorry. The number you have reached is imaginary. Please rotate your phone 90 degrees and try again.
Sure, you might get a little extra latency, as the servers parse an IPv4 request prior to an IPv6 one, where the record type required is explicit. Such searches could double the time it takes to get a result. However, doubling a secong gives you two seconds, so I don't feel this is going to prove too stressful.
A bigger problem will be badly-written software that tries to open all connections over IPv4 and waits for a timeout before trying IPv6. This will hang the machine, though, not the Internet. No other user is going to notice or care.
There is one - and only one - way that there could be a problem, and that would be if Vista's IPv6 implementation is broken such that it assumes an absurdly small timeout and therefore floods whatever it is trying to talk with in an unintended DoS attack. Even then, most routers are designed to squelch over-active sources, so the impact of such a flood would be negligable.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Vista doesn't overload DNS servers....people overload DNS servers.
It's also worth pointing out that while Vista might come out on a single day it won't be rolled out in a single day -- it'll take months to years to rollout.
So even if there is an increase in DNS load because of the AAAA before A DNS requests it won't cause rolling blackouts or major network failures.
FWIW, we see about 20% of our requests as AAAA requests. I don't have the number of those that are retried as A requests but I'd guess it's pretty high since we aren't (yet) listening on IPv6 interfaces. We do support AAAA dns requests, of course.
-david
# Hack the planet, it's important.
Take the average and use IPv5. :-) IPv5 don't get no love.
YESTERDAY!!!!!!!
sorry, but its old news.
I for one welcome our new DNS overloads.
Although Vista will more likely be widespread, I hope everybody realises that IPv6 was implemented in OSX quite some time ago. Or is Vista's implementation different somehow?
Windows has more viruses because linux has more virus coders.
You spelled "Ed Whitacre" wrong.
Wanting MS to pay for the load it creates when it makes money isn't the same as forcing it to do so, as AT&T/Verizon/backboneISPs want. It's simple economics, said by a private individual not wielding either a telecom cartel or the Senate.
--
make install -not war
i did wonder why my win2k DNS server went down right after installing Vista RC1?????...... oh wait no it didn't
the FUD to Reality ratio of this story is very high indeed... actually 99% FUD.
Vista will not even make IPv6 DNS requests unless you have an IPv6 address for the machine.
actually I am happy to see you, however that is in fact a banana in my pocket.
And there was one guy who said the introduction of Windows XP and its raw sockets API would allow programs to "generate the most damaging forms of Internet attacks." And we all know that the Internet fell apart because of that, right?
FUD.
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
Now, buy Windows Vista and help ur cr3w to overload teh |nnerw3b.... LEGAL!1
OMG, lolz WTF?!
...with slowing your personal computer to a crawl with useless services and features, M.S. expands its lethargy to the Internet.
http://www.dslreports.com/forum/remark,15701298?hi lite=vista
My router just killed the entire network, after I was on Vista for like 10-20 minutes.
Very funny, Scotty. Now beam down my clothes.
First, let's take a look at Vista uptake and adoption: not too fast.
Secondly, let's take a look at how many sites are IPV6 now: not too many, in fact, darn few at all.
Thirdly, let's see how many routers are enabled to do IPV6: gosh, nearly all of them. Jolly good, that.
Fourthly, let's see how DNS calls work, whether IPV4, or that gnarly IPV6 stuff: generally, calls are routed to a local segment DNS server. That silly little server actually does something called (yes, that's right!) cacheing addresses, only going upstream to get new stuff! Great! A little binary tree code goes in and looks things up for us; it's nice, really.
Let's say you're a consumer on an ISP network-- say Comcast. The old Comcast people will have to put up a little hardware to do the DNS work. Jolly nice of them, eh? Perhaps you're at a desk in a megacorp-- well you're likely using that Microsoft Stuff to do your DDNS work; in turn, it goes upstream, too. Perhaps you don't use that silly Active Directory stuff and you do BIND. Clever you-- you're already there and it's been working all along.
And IPV6 is simply insane, no matter how measured. Yet we can deal with it because some unbelievably stupid twit said that we can't NAT anymore. This person's place in hell is already reserved. The IETF..... oh, let's don't go there.
---- Teach Peace. It's Cheaper Than War.
Nobody seems to understand how IPv6 DNS works.
First off, when your box asks for any address from your dns server, the dns server hits the public internet root name servers and gets the Start of Authority (SOA). This tells your dns server (or you if you wanna set up one locally) where to get DNS information for that domain. None of that changes with IPv6.... NOTHING. It can still make all of those requests over IPv4 and it doesnt' matter and it will never duplicate the requests.
Now that your dns server knows where to get the zone file for that address it goes and gets it from the SOA. If both IPv6 and IPv4 are supported then you'll have a main A record and main AAAA record (quad A) in that zone. Which ever one comes first should be the one that is honored, this is so that the people who own the domain can specify if they prefer you to use IPv6 or IPv4 (Note: WindowsXP has a bug in which it ALWAYS uses the IPv4 address if one exists).
So the increase in traffic is only between you and your dns server if the dns server is configured to get the entire zone file and not just query for a single entry (this is the proper way to configure a dns server that intends on supporting IPv6 because if you don't get the entire zone file then you don't know which protocol to prefer, it's also just a good idea and you should be getting the zone's TTL and honoring at well -- I'm anal about this by the way). If your dns server is configured to query for each entry then the traffic is only between that dns server and the start of authority. So this will not increase the load on the world wide traffic to root name server AT ALL.
So lets see if I'm understanding this right. Dude who sells DNS server software, is saying that an extra DNS query now and then is going to cause 'massive slowdowns'.
Maybe in user interaction. Perhaps, once IPv6 is used now and then, that second dns query will cause an extra 100 ms delay on top of the first 100 ms delay for the first dns query.. causing a human-noticeable slowdown after clicking a link.
This is a slowdown due to round trip times, not because of bandwidth or processing limits. More sequential round trips = more latency. Nothing new. And the second time you visit a given site? It's cached, no round trip at all. So yes, people might, maybe, kinda notice a difference.. on the first visit to a given website on a given reboot of their computer.
But I don't think an extra lookup will be a huge inconvenience even given the sorry state of ISP dns servers(Which, in my experience, aren't that bad unless they can't look up an address. Timeouts are are bad, mmkay? The correct response is nxdomain, not 'server did not respond' 'lets try the next!' 'server did not respond'.....
Ubuntu has ipV6 too (and it causes headaches for end-users). So what? Is it M$' fault that their OS is popular (more computers probing ipV6 stuff)? Would we see the same news if Ubuntu was the popular thing? I'm probably missing something crucial...
The author of the article is just finding an excuse to hit against Vista. I'm no where defending Vista, but we DO need to move into IPv6 and the only way to do that is to overcome this hump.
Let's see. You say:
"IPv6 makes routing much easier because most of those addresses won't be allocated to anything"
How droll. Do you realize what you've said in justification? Have you done router tables, ever?
Then, you say:
"They serve to keep the address space non-fragmented, so routers will have much smaller routing tables"
Sure. A lot smaller. The number of devices needing unique addresses will shrink and that's why IPV4 is "....about ugly, look at NAT and CIDR and the hack.." In fact, using NAT and CIDR blocks works charmingly-- any number of times, depending on custom and internal whimsy.
The Internet won't be glued together, address-wise, differently in IPV4 v. IPV6. For a while, there'll be nice and cute sorts of blocks doled. Then it will go to hell again, and tables will need to be done that cycle away dirty cache just as is done today. ARP works with both, and therefore can be messy with both (although admittedly, it's tougher to screw up in code w/IPV6).
"...things nicer and cleaner" comes with a beyond-exponential increase in the size of the addressing space. It is without a doubt in my mind, ludicrous. The special place in hell reserved for the numbskulls that wrote the spec will become historical.
---- Teach Peace. It's Cheaper Than War.
I for one, welcome our new DNS overloads!
Even if everyone changed over to IPv6 tomorrow, ISPs like Comcast will still charge for extra IP addresses.
Come on, it's about time Windows adopts IPv6. We would criticize Vista if it didn't, and as it does we criticize it for it anyways. I'm as pro-M$ as the next /.er but sometimes part of the geek crowd won't even let M$ a chance.
You just got troll'd!
This just in: Windows Vista will eat your babies! When questioned about this controversial new "feature," the spokesman from Microsoft cackled nefariously while scheming how to bring and END TO COMPUTING AS WE KNOW IT!
Stay tuned for our coverage of how to completely root Vista RC1 using only a TI-82 graphing calculator, and $500 of everyday electronic components.
This is Dan Kaminsky, from the article.
:) Paul knows DNS. It's his creation. But you'll note in this story that Joris Evers can't actually find anyone who agrees with Paul.
Here's what I threw on my blog on this matter. Note, the fact that this got presented as even a debate annoyed me enough to start posting on my site again.
--
Paul Mockapetris says Vista is going to take down the Internet's DNS infrastructure. Paul is the inventor of DNS; I met him at Black Hat last year and was half starstruck, half relieved he didn't hate me for the things I'd done to his creation
There's a reason.
First, while there are indeed a couple underprovisioned name servers, there's far more that have lots and lots of slack capacity. You need slack capacity to deal with shock load. The networks that would fail because of Vista's release, would fail because of a three day weekend.
Second, Vista's not getting deployed all at once. This is no service pack that's deployed to a hundred million desktops via Windows Update! Mockapetris is correct in that there will be a noticable increase in DNS traffic, but that increase will be spread out over the course of a couple years. Slow increases like this tend not to cause the sort of catastrophic failure that Mockapetris refers to.
Finally, and most importantly (in the sense that Mockapetris should know better): Most of the work done to service the IPv6 request, is cached and available to service the IPv4. To complete a DNS lookup, you have to locate a particular server, known as the authoritative server for a domain. The same authoritative server that hosts the IPv6 (AAAA) record also hosts the IPv4 (A) record. So even if Vista sends twice the traffic, the upstream nameserver is certainly not experiencing twice the load.
Full disclosure: Microsoft has had me looking at Vista for much of this year, as part of their "Blue Hat Hacker" external pen-testing squad. But then, Mockapetris has written a really impressive name server for his company, Nominum, that can handle about 4x the load of BIND. But this isn't about who we are; it's about what is or isn't going to collapse. There are things to worry about. This isn't one of them.
As rarely as I can say it, MS seems to be doing EXACTLY what should be done. In fact this could be the tipping point that moves us from IPv4 to IPv6. With 95% of the worlds desktops using IPv4 exclusivly, it made no sense worrying about IPv6 in the routers, and it would have been suicide to go to a pure IPv6 implementation. With Vista, most people will, in a few years, upgrade to Vista, switch to Linux or OSX, or be ready to accept being cut off from direct access to the internet. That means that 95% of the worlds desktops with be IPv6 first and formost, and ISPs can confidently move to an IPv6 backbone without fear of cutting off their customers.
Either way, I don't think that NAT is dead. It might change form a bit, but those in control of the numbers are not likely to just start giving them away, just because they have an over abundence of them any more than the Media Barons just give out music just because they have an over abundance of copies of that.
I disagree that it's not a huge issue: it means that you can't actually deploy an IPv6-native (i.e. no IPv4) service where there are ANY Windows XP hosts, unless you want to distribute host files (brrrrr....) or have some god-awful tunnelling enabled.
-David
Need Geek Rock? Try The Franchise!
Didn't we get this thing tested in 2002. Haven't we learned anything? or has it all been forgotten?
http://www.internetnews.com/dev-news/article.php/1 486981
Even when Vista comes out it won't have instant effect on the over all system, but the load will grow in time and the system will have to be customed for that.
IPv6 has been waiting in the wings for how long? Why? More hardware, software, and routers need to support it. Now, MS comes along and supports it. This is reported as bad?
/.? I'm not a fan of MS overall, and prefer linux on my servers -- but c'mon people.
What can they do that won't get negative commentary on
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Please see, as an example, http://www.technologyreview.com/read_article.aspx? id=13426&ch=infotech which was featured here at /., in early 2004.
What you also didn't know is that I was building computers with discrete transistors forty-three years ago; I suspect you might have been in diapers at that time. And at least we agree about Ontrack, the greatest destroyer (IMHO) of data ever to grow in Minnesota.
IPV6 allows highly discrete addressing. IN fact, unbelievable and untenable discrete addressing. No-UNFATHOMABLE addressing.
Apologists think that we just have to swallow it. TFA implies that Vista will cause problems; nay I say to that. IPV6 is the tragedy here; Vista is small potatoes by comparison.
---- Teach Peace. It's Cheaper Than War.
Before freaking out. Look at their algorithm.
From TFA:
"""For example, Microsoft designed Vista so PCs will query in the address of the type assigned to the system, the company said.
Computers that don't have an IPv6 address will not do IPv6 queries, the company said.
Also, when a machine does do an IPv6 query, it will do so only to a DNS server that responded to its initial IPv4 query, the company said. "Name errors are not repeated, so the Net traffic will less than double," it said."""
Why yes, Geoff Huston has analyzed the problem pretty thoroughly:
http://www.potaroo.net/tools/ipv4/
So, we're looking at just under 6 years.
BTW, Geoff Huston is a guru.
- i mean, they have how many addresses per employee?
Not the series of tubes, noooo!
... do not welcome our new MS overloads.
A friend of mine sent this to me this morning when we were discussing this:
.LOCAL TLD. The last time I looked, about 40% of the traffic to global name servers was this bogus windows shit. If Vista fixes that, then its release will be a net positive.
"I manage the operation of about 70% of the world's root DNS servers, and run authoritative TLD servers (mostly secondaries) for about 30% of the world's TLDs (mostly CCtlds). We measure carefully.
IPv6 isn't even 0.01% of the total, and doesn't matter.
The real load on name servers comes not from IPv6 but from Windows machines flooding the world with RFC1918 in-addr requests and with lookup requests in the
We started and sponsor the AS112 Project ( http://public.as112.net/ ) to try to mop up some of the Windows mess. No one believes that we'll need to extend it to IPv6, but we're paying attention."
He is of course right, the nonsense windows does has been a problem for years.
Need Mercedes parts ?
I like how the article is worded to blame Microsoft, as if they had some control over the issue. MS isn't releasing anything that is orders of magnitude less efficient that say and open source solution to the IP4/IP6 problem, so why are they being painted as villians here? If LINXU was on 90% of all home systems and started migrating to IP6, would this rate the same sort of hatchet job? Yes, there may be increased loads generated for DNS servers by all the PEOPLE switching over, but this is hardly Microsoft's doing. Lets not waste time demonizing them for something that isn't their fault, when we can be blasting them for trying to take over the Internet by destroying Netscape with predatory monopolistic bisiness practices...
HA! I just wasted some of your bandwidth with a frivolous sig!
Bullshit.
NAT does help against a certain sort of attack. Maybe only against this sort of attack. Fortunately, against the propably most common sort of attack you can't do anything about. (You can to something about infected websites: use a different browser).
Security is not binary, it's relative. NAT adds yet another bit of security for your computer. Can you feel save with NAT only? Hell, no! Can you feel saver than without NAT? Ask my Windows-using friends that hook their machines up to the net directly how many times they had to reinstall windows untill they could download the security fix from MS faster before they were hit again. Can't remember which worm it was (it khad a bug in its implementation and kept rebooting the machines, you'll know which one I mean). I'm not running Windows, so I didn't care. But fior them NAT would have been a good protection at the time.
It is interesting that this particular FUD is pointed at Microsoft.
This reminds me of Steve Gibson's predictions that the 'Raw Sockets' capability of Windows XP would bring the Internet to a standstill.
how can (a) dnserver(s) fail before (a) router(s) fail?
"weeee lets route the position information for
each atom in the universe and then start
giving them individual names"
NAT won't die. NAT is a blessing. NAT is like
a smart diode (and i'd say like a tubeless AC
to DC converter but i don't understand enough about that).
i have ipv6 installed on my network; BUT my dsl"router"
doesn't understand ipv6. im guessing my isps routers don't either.
trouble-shoting ipv6 connectivity is a b1tch.
ping fe80::226:54ff:...etc. anyone?
local DHCP and DNS are gonna come in real handy tho. (i can see the
exploits already; once joe-user maps a ipv6 address to something like
"192.168.0.1" t-hehehe...)