Will Vista Overload the DNS?

Jamie Northern writes, "Thanks to new directory software, Windows Vista could put a greater load on Internet DNS servers. But experts disagree over whether we're headed for a prime-time traffic jam or an insignificant slowdown. Paul Mockapetris,inventor of DNS, believes Vista's introduction will cause a surge in DNS traffic because the operating system supports two versions of the Internet Protocol (IPv4 and IPv6). David Ulevitch, chief executive at OpenDNS, a provider of free DNS services, said Vista's use of IPv6 will not disrupt the Internet at large. 'DNS can be improved, but predicting its collapse is just spreading FUD.'"

Why any different than Linux or MacOS X?

[Midnight+Thunder]

Linux and MacOS X are both capable of having both IPv6 and IPv4 stacks, and in many cases this is active by default. Why would Vista cause any more problems?

If you have a good setup then you will have a lookup cache on your local machine storing both IPv6 and IPv4 addresses for each site. Therefore only one lookup should need to be done.

Re:Why any different than Linux or MacOS X?

[Antique+Geekmeister]

Linux and MacOS tend to be a lot saner about caching behavior, and are often properly configured with a local caching DNS server in more sane setups than the millions of Vista machines expected to be built when Vista is finally released. And as corporate environments switch hundreds or thousands of updated or new machines to Vista, the load on upstream DNS servers, especially the root servers, can be expected to climb quite drastically at some very odd times.

The DNS for Microsoft itself is one of the most vulnerable possibilities: if that goes down for an hour or so, as all the Internet Explorer servers and mis-programmed default Internet Explorer search settings hit microsoft.com for their default web page, those servers are going to take very large loads. And spreading out the load for such hits on the root servers for .com is not a small task: they may have to get services from Akamai to survive the hits.

I'm sure that Microsoft also *hates* having to use Akamai servers for anything, due to Akamai's understandable reliance on Linux for core services.

Re:Why any different than Linux or MacOS X?

[kickdown]

> why would there be any more requests than there are now with Windows? After all a single DNS lookup should easily get the AAAA and A address in one shot, unless I am misunderstanding the protocol.

I think you are: you can only request one record type at a time. So you ask either A or AAAA; and given that the rule of thumb is to prefer IPv6 if present, first goes your AAAA and then your A question.
What you _could_ do is ask for the type ANY, which will make the server return everything it happens to know. But then you have no guarantee the info is exhaustive: the server will only give back those records that it already has in its cache; it will not ask the authoritative name server. So then you might miss something.

What generates a lot more DNS traffic than AAAA records is the fact that the world has forgotten that URLs terminate with a trailing dot. If you leave it out, it's a _relative_ URL and the resolver on your machine has to trial-and-error if you perhaps meant it with a dot.

Example: you type www.foo.com in your browser. Your resolver is configured to append bar.org. to relative URLs. Then you'll generate a completely useless request for www.foo.com.bar.org. just to find out it doesn't exist, and then guess the domain www.foo.com. is meant. That depends on your search order and cleverness of your resolver of course, you might as well be lucky and it works out.

Re:Why any different than Linux or MacOS X?

[EnderGT]

First of all, you can request more than one record at a time - the specification explicitly allows for more than one Question in the message. Second, the server will frequently return other records that it thinks will be helpful or will be requested shortly. For example, if the original request maps to a CNAME, the mapping could be followed and the correct A record returned (this is called additional section processing). In fact, the AAAA spec requires that queries that trigger additional section processing (e.g. query for NS or MX records) must look for AAAA as well as A records.

The response packets may be larger, but I don't think there will be more of them.

This is ridiculous

[eln]

For a guy who "invented DNS," he sure doesn't seem to have much of a grasp of how the current DNS infrastructure works.

First off, most DNS servers are very lightly loaded. DNS in general doesn't take a whole lot of traffic (relative to other protocols), and most DNS servers are way overpowered for what they need to do.

Secondly, as the article states, Vista is not going to just blindly do two queries, one IPv4 and the other IPv6, for every request. It is a little more intelligent than that (shocking, I know). For systems that don't have an IPv6 address (which will be virtually all of them given the current adoption rate of IPv6), no IPv6 DNS queries will be done at all.

Linux and other Unix-like OSes have supported IPv6 for years, and they haven't managed to kill DNS yet. Most Vista installations, like most Linux installations these days, are going to have IPv6 disabled anyway, so this is not going to have any real impact at all.

Re:This is ridiculous

[LnxAddct]

He works for a company that sells DNS solutions, so obviously he's just trying to scare up some more business.
Regards,
Steve

Re:This is ridiculous

[weeble]

I expect that Windows will have the IPv6 link local address enabled.

Thus just as Linux currently has an IPv6 interface enabled by default - even if it is not connected to any other machines over IPv6 it will still do AAAA lookups just as Linux does.

The host that it might be looking for may be itself on the IPv6 loopback interface.

Complicated mumbo jumbo

[Asrynachs]

That's just a bunch of meaningless technical jargain. They seem to forget that DNS overhead was down by 34% since last year and it's projected to drop by another 20% midway through 2007. So any 'slow downs' as they call them would be soaked up by the rent left from the overhead surplus. yingers

The knee in the curve, mentioned by Paul

[davecb]

When working with response time instead of %CPU, the curve is quite different from what one normally sees.

It starts off level, at some number of milliseconds (mostly the round-trip time) and stays that way until the load hits 100%, then increases rapidly and without bound.

For example, if a lookup takes 1/10 second, it will continue to take 1/10 second until there are 10 requests per cpu per second.

After that a queue builds up, and the requests are delayed. Brutally. At a mere 100 requests/second, the delay is 10 seconds, instead of one tenth.

Now imagine that at the huge loads the DNS servers typically handle.

When someone says "they've hit the knee of the curve", he really means "they're about to fall in the toilet" (;-))

--dave

Re:Insignificant

[Intron]

It probes for ipv6 first, then falls back to ipv4. This is the default setting for many unix systems as well. You usually find your system running slowly, then find a setting for this and turn it off to eliminate the timeout delay.

As for how big a spike it can cause, see this for the effect of Windows' active directory update scheme on the root servers.

Re:Remove the need for NAT?

[IHawkMike]

When I say NAT, I don't mean firewall, I mean Network Address Translation. True, its function is usually performed by a firewall or gateway, but I'm not talking about stateful inspection or anything like that. NAT simply replaces the source and destination addresses in IP packet headers to allow multiple private IPs to use a single public IP (keeping track of conversations and such). More importantly for security, however, NAT prevents uninitiated outside connections from reaching devices inside the private network unless specifically configured as a server. What this means is that even without a firewall, a worm exploiting some neat new Vista "feature" will not be able to penetrate NAT to access ports on the not-yet-patched computers inside.

Re:Windows IPv6 support

[A5un]

Yes, you can install IPv6 stack for WinXP with a single command. However, the stack does not support DNS query in IPv6 (not AAAA query via IPv4), which kind of destroy the hope of deploying pure IPv6 network.

How IPv6 DNS works.

[mikeal]

Nobody seems to understand how IPv6 DNS works.

First off, when your box asks for any address from your dns server, the dns server hits the public internet root name servers and gets the Start of Authority (SOA). This tells your dns server (or you if you wanna set up one locally) where to get DNS information for that domain. None of that changes with IPv6.... NOTHING. It can still make all of those requests over IPv4 and it doesnt' matter and it will never duplicate the requests.

Now that your dns server knows where to get the zone file for that address it goes and gets it from the SOA. If both IPv6 and IPv4 are supported then you'll have a main A record and main AAAA record (quad A) in that zone. Which ever one comes first should be the one that is honored, this is so that the people who own the domain can specify if they prefer you to use IPv6 or IPv4 (Note: WindowsXP has a bug in which it ALWAYS uses the IPv4 address if one exists).

So the increase in traffic is only between you and your dns server if the dns server is configured to get the entire zone file and not just query for a single entry (this is the proper way to configure a dns server that intends on supporting IPv6 because if you don't get the entire zone file then you don't know which protocol to prefer, it's also just a good idea and you should be getting the zone's TTL and honoring at well -- I'm anal about this by the way). If your dns server is configured to query for each entry then the traffic is only between that dns server and the start of authority. So this will not increase the load on the world wide traffic to root name server AT ALL.

Re:How IPv6 DNS works.

[TCM]

if the dns server is configured to get the entire zone file and not just query for a single entry (this is the proper way to configure a dns server that intends on supporting IPv6 because if you don't get the entire zone file then you don't know which protocol to prefer

That's just plain wrong. Getting the whole zone file is done via AXFR requests and should only be allowed for slaves of the server. No client will ever do an AXFR to query a record.

The preference of IPv6 vs. IPv4 is done by the client only. If it wants IPv6 first, it will ask for an AAAA record first.

Your first sentence is true, I'm afraid.

Re:How IPv6 DNS works.

[thegameiam]

minor nitpick - the XP IPv6 stack bug isn't that it always uses IPv4, it's that it NEVER uses IPv6 for DNS queries. I verified this through lots of testing recently, and it totally cheesed me off... :(

And here I was so happy that they included the auto-config fec0:0:0:ffff::1 - 3 DNS server addresses, but XP won't send a request either to them or to a manually configured V6 server.

-David

Re:Useless to blame this on Vista

[TCM]

Besides, only routers that support IPv6 will even route the DNS requests to DNS servers.

This has nothing to do with IPv6 transport but rather IPv6 records (AAAA).

Re:Windows IPv6 support

[shani]

However, the stack does not support DNS query in IPv6 (not AAAA query via IPv4), which kind of destroy the hope of deploying pure IPv6 network.

You don't need a "pure IPv6 network".

You can give private IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to users' computers for talking with your recursive DNS servers.

They can use IPv4 to talk to your DNS server, and IPv6 to talk to the Internet (or anyplace else they need a globally unique IP address).

Of course, you'd need to use non-Microsoft software on your recursive DNS servers. But BIND runs on Windows, so it's not a huge problem. :)

Re:Quite right...

Guess you didn't get it .

Re:Non-news?

Microsoft disabled raw socket support in XP SP2 to prevent exactly those types of attacks as outlined by the grc site.

http://www.microsoft.com/technet/prodtechnol/winxp pro/maintain/sp2netwk.mspx

"This change limits the ability of malicious code to create distributed denial-of-service attacks and limits the ability to send spoofed packets, which are TCP/IP packets with a forged source IP address."

Not so FUD after all.

Experts Agree: This is BS

[Effugas]

This is Dan Kaminsky, from the article.

Here's what I threw on my blog on this matter. Note, the fact that this got presented as even a debate annoyed me enough to start posting on my site again.

--

Paul Mockapetris says Vista is going to take down the Internet's DNS infrastructure. Paul is the inventor of DNS; I met him at Black Hat last year and was half starstruck, half relieved he didn't hate me for the things I'd done to his creation :) Paul knows DNS. It's his creation. But you'll note in this story that Joris Evers can't actually find anyone who agrees with Paul.

There's a reason.

First, while there are indeed a couple underprovisioned name servers, there's far more that have lots and lots of slack capacity. You need slack capacity to deal with shock load. The networks that would fail because of Vista's release, would fail because of a three day weekend.

Second, Vista's not getting deployed all at once. This is no service pack that's deployed to a hundred million desktops via Windows Update! Mockapetris is correct in that there will be a noticable increase in DNS traffic, but that increase will be spread out over the course of a couple years. Slow increases like this tend not to cause the sort of catastrophic failure that Mockapetris refers to.

Finally, and most importantly (in the sense that Mockapetris should know better): Most of the work done to service the IPv6 request, is cached and available to service the IPv4. To complete a DNS lookup, you have to locate a particular server, known as the authoritative server for a domain. The same authoritative server that hosts the IPv6 (AAAA) record also hosts the IPv4 (A) record. So even if Vista sends twice the traffic, the upstream nameserver is certainly not experiencing twice the load.

Full disclosure: Microsoft has had me looking at Vista for much of this year, as part of their "Blue Hat Hacker" external pen-testing squad. But then, Mockapetris has written a really impressive name server for his company, Nominum, that can handle about 4x the load of BIND. But this isn't about who we are; it's about what is or isn't going to collapse. There are things to worry about. This isn't one of them.

IPv4 space exhaustion

[shani]

Why yes, Geoff Huston has analyzed the problem pretty thoroughly:

http://www.potaroo.net/tools/ipv4/

So, we're looking at just under 6 years.

BTW, Geoff Huston is a guru.

Not the real problem

[rs79]

A friend of mine sent this to me this morning when we were discussing this:

"I manage the operation of about 70% of the world's root DNS servers, and run authoritative TLD servers (mostly secondaries) for about 30% of the world's TLDs (mostly CCtlds). We measure carefully.

IPv6 isn't even 0.01% of the total, and doesn't matter.

The real load on name servers comes not from IPv6 but from Windows machines flooding the world with RFC1918 in-addr requests and with lookup requests in the .LOCAL TLD. The last time I looked, about 40% of the traffic to global name servers was this bogus windows shit. If Vista fixes that, then its release will be a net positive.

We started and sponsor the AS112 Project ( http://public.as112.net/ ) to try to mop up some of the Windows mess. No one believes that we'll need to extend it to IPv6, but we're paying attention."

He is of course right, the nonsense windows does has been a problem for years.