Slashdot Mirror
Will Vista Overload the DNS?
Jamie Northern writes, "Thanks to new directory software, Windows Vista could put a greater load on Internet DNS servers. But experts disagree over whether we're headed for a prime-time traffic jam or an insignificant slowdown. Paul Mockapetris,inventor of DNS, believes Vista's introduction will cause a surge in DNS traffic because the operating system supports two versions of the Internet Protocol (IPv4 and IPv6). David Ulevitch, chief executive at OpenDNS, a provider of free DNS services, said Vista's use of IPv6 will not disrupt the Internet at large. 'DNS can be improved, but predicting its collapse is just spreading FUD.'"
There would be no news....
Undetectable Steganography? Yep, there's an app fo
just friggin deploy ipv6
Linux and MacOS X are both capable of having both IPv6 and IPv4 stacks, and in many cases this is active by default. Why would Vista cause any more problems?
If you have a good setup then you will have a lookup cache on your local machine storing both IPv6 and IPv4 addresses for each site. Therefore only one lookup should need to be done.
Jumpstart the tartan drive.
For a guy who "invented DNS," he sure doesn't seem to have much of a grasp of how the current DNS infrastructure works.
First off, most DNS servers are very lightly loaded. DNS in general doesn't take a whole lot of traffic (relative to other protocols), and most DNS servers are way overpowered for what they need to do.
Secondly, as the article states, Vista is not going to just blindly do two queries, one IPv4 and the other IPv6, for every request. It is a little more intelligent than that (shocking, I know). For systems that don't have an IPv6 address (which will be virtually all of them given the current adoption rate of IPv6), no IPv6 DNS queries will be done at all.
Linux and other Unix-like OSes have supported IPv6 for years, and they haven't managed to kill DNS yet. Most Vista installations, like most Linux installations these days, are going to have IPv6 disabled anyway, so this is not going to have any real impact at all.
When Vista comes out, it will be introduced gradually compared to the millions of installed Win98/NT/XP systems.
It will take years until/if it reaches considerable marketshare. ISPs have plenty of time to upgrade in the meantime.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
This has to do with the necessary gradual migration from IPV4 to IPV6, and has nothing to do with Vista. Besides, only routers that support IPv6 will even route the DNS requests to DNS servers. If we want to switch to IPV6, every OS out there is going to have support both in tandem like this. You can't bitch about the slow adoption of IPV6, and then turn around and bitch again when there are insignificant consequences related to the transition.
I'm sure Microsoft will have a tool in the Network Setting applet, to upgrade DNS servers to be Vista compatable. If MS has a hand in the DNS servers, it will greatly improve interoperability.
Have you read my journal today?
... so that's what FUD stands for! ;)
That's just a bunch of meaningless technical jargain. They seem to forget that DNS overhead was down by 34% since last year and it's projected to drop by another 20% midway through 2007. So any 'slow downs' as they call them would be soaked up by the rent left from the overhead surplus. yingers
Why would Vista overload the DNS system? slashdot.org is already in my local DNS cache anyway...
Please correct me if I got my facts wrong.
They're like series of tubes. And if they don't understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
So, many Internet providers have handled 1000% growths over the last few years, but they can't handle a doubling of DNS load over the time it will take everyone to upgrade to Vista?
Yeah right.
Any sufficiently advanced libertarian utopia is indistinguishable from government.
When working with response time instead of %CPU, the curve is quite different from what one normally sees.
It starts off level, at some number of milliseconds (mostly the round-trip time) and stays that way until the load hits 100%, then increases rapidly and without bound.
For example, if a lookup takes 1/10 second, it will continue to take 1/10 second until there are 10 requests per cpu per second.
After that a queue builds up, and the requests are delayed. Brutally. At a mere 100 requests/second, the delay is 10 seconds, instead of one tenth.
Now imagine that at the huge loads the DNS servers typically handle.
When someone says "they've hit the knee of the curve", he really means "they're about to fall in the toilet" (;-))
--dave
davecb@spamcop.net
It probes for ipv6 first, then falls back to ipv4. This is the default setting for many unix systems as well. You usually find your system running slowly, then find a setting for this and turn it off to eliminate the timeout delay.
As for how big a spike it can cause, see this for the effect of Windows' active directory update scheme on the root servers.
Intron: the portion of DNA which expresses nothing useful.
Toaster: "Well lets just hope you don't get an overload..."
Holly: "What if I do get an overload..."
Toaster: "You'll explode!"
When I say NAT, I don't mean firewall, I mean Network Address Translation. True, its function is usually performed by a firewall or gateway, but I'm not talking about stateful inspection or anything like that. NAT simply replaces the source and destination addresses in IP packet headers to allow multiple private IPs to use a single public IP (keeping track of conversations and such). More importantly for security, however, NAT prevents uninitiated outside connections from reaching devices inside the private network unless specifically configured as a server. What this means is that even without a firewall, a worm exploiting some neat new Vista "feature" will not be able to penetrate NAT to access ports on the not-yet-patched computers inside.
If memory serves, Microsoft had an IPv6 stack for Windows 2000 that you could download from Microsoft's research site. In XP, IPv6 is included, but is disabled by default. A single command enables it. My understanding is that in Vista, IPv6 will be enabled by default.
Honestly, we're going to run out of new IPv4 addresses to hand out in a few years. We need IPv6, and I think Microsoft would be foolish not to enable it by default in Vista.
It's also worth pointing out that while Vista might come out on a single day it won't be rolled out in a single day -- it'll take months to years to rollout.
So even if there is an increase in DNS load because of the AAAA before A DNS requests it won't cause rolling blackouts or major network failures.
FWIW, we see about 20% of our requests as AAAA requests. I don't have the number of those that are retried as A requests but I'd guess it's pretty high since we aren't (yet) listening on IPv6 interfaces. We do support AAAA dns requests, of course.
-david
# Hack the planet, it's important.
And there was one guy who said the introduction of Windows XP and its raw sockets API would allow programs to "generate the most damaging forms of Internet attacks." And we all know that the Internet fell apart because of that, right?
FUD.
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
Nobody seems to understand how IPv6 DNS works.
First off, when your box asks for any address from your dns server, the dns server hits the public internet root name servers and gets the Start of Authority (SOA). This tells your dns server (or you if you wanna set up one locally) where to get DNS information for that domain. None of that changes with IPv6.... NOTHING. It can still make all of those requests over IPv4 and it doesnt' matter and it will never duplicate the requests.
Now that your dns server knows where to get the zone file for that address it goes and gets it from the SOA. If both IPv6 and IPv4 are supported then you'll have a main A record and main AAAA record (quad A) in that zone. Which ever one comes first should be the one that is honored, this is so that the people who own the domain can specify if they prefer you to use IPv6 or IPv4 (Note: WindowsXP has a bug in which it ALWAYS uses the IPv4 address if one exists).
So the increase in traffic is only between you and your dns server if the dns server is configured to get the entire zone file and not just query for a single entry (this is the proper way to configure a dns server that intends on supporting IPv6 because if you don't get the entire zone file then you don't know which protocol to prefer, it's also just a good idea and you should be getting the zone's TTL and honoring at well -- I'm anal about this by the way). If your dns server is configured to query for each entry then the traffic is only between that dns server and the start of authority. So this will not increase the load on the world wide traffic to root name server AT ALL.
So lets see if I'm understanding this right. Dude who sells DNS server software, is saying that an extra DNS query now and then is going to cause 'massive slowdowns'.
Maybe in user interaction. Perhaps, once IPv6 is used now and then, that second dns query will cause an extra 100 ms delay on top of the first 100 ms delay for the first dns query.. causing a human-noticeable slowdown after clicking a link.
This is a slowdown due to round trip times, not because of bandwidth or processing limits. More sequential round trips = more latency. Nothing new. And the second time you visit a given site? It's cached, no round trip at all. So yes, people might, maybe, kinda notice a difference.. on the first visit to a given website on a given reboot of their computer.
But I don't think an extra lookup will be a huge inconvenience even given the sorry state of ISP dns servers(Which, in my experience, aren't that bad unless they can't look up an address. Timeouts are are bad, mmkay? The correct response is nxdomain, not 'server did not respond' 'lets try the next!' 'server did not respond'.....
NAT. Has. Nothing. To. Do. With. Security. Period.
...) can simply set a route to your LAN via your external gateway. The only thing that helps security is a packet filter - which will work just fine with or without NAT.
With plain NAT and no filter, someone on your outer segment (malicious ISP, hacked ISP, other customers of some cable ISPs,
Get rid of NAT now, the sooner the better.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Come on, it's about time Windows adopts IPv6. We would criticize Vista if it didn't, and as it does we criticize it for it anyways. I'm as pro-M$ as the next /.er but sometimes part of the geek crowd won't even let M$ a chance.
You just got troll'd!
This is Dan Kaminsky, from the article.
:) Paul knows DNS. It's his creation. But you'll note in this story that Joris Evers can't actually find anyone who agrees with Paul.
Here's what I threw on my blog on this matter. Note, the fact that this got presented as even a debate annoyed me enough to start posting on my site again.
--
Paul Mockapetris says Vista is going to take down the Internet's DNS infrastructure. Paul is the inventor of DNS; I met him at Black Hat last year and was half starstruck, half relieved he didn't hate me for the things I'd done to his creation
There's a reason.
First, while there are indeed a couple underprovisioned name servers, there's far more that have lots and lots of slack capacity. You need slack capacity to deal with shock load. The networks that would fail because of Vista's release, would fail because of a three day weekend.
Second, Vista's not getting deployed all at once. This is no service pack that's deployed to a hundred million desktops via Windows Update! Mockapetris is correct in that there will be a noticable increase in DNS traffic, but that increase will be spread out over the course of a couple years. Slow increases like this tend not to cause the sort of catastrophic failure that Mockapetris refers to.
Finally, and most importantly (in the sense that Mockapetris should know better): Most of the work done to service the IPv6 request, is cached and available to service the IPv4. To complete a DNS lookup, you have to locate a particular server, known as the authoritative server for a domain. The same authoritative server that hosts the IPv6 (AAAA) record also hosts the IPv4 (A) record. So even if Vista sends twice the traffic, the upstream nameserver is certainly not experiencing twice the load.
Full disclosure: Microsoft has had me looking at Vista for much of this year, as part of their "Blue Hat Hacker" external pen-testing squad. But then, Mockapetris has written a really impressive name server for his company, Nominum, that can handle about 4x the load of BIND. But this isn't about who we are; it's about what is or isn't going to collapse. There are things to worry about. This isn't one of them.
As rarely as I can say it, MS seems to be doing EXACTLY what should be done. In fact this could be the tipping point that moves us from IPv4 to IPv6. With 95% of the worlds desktops using IPv4 exclusivly, it made no sense worrying about IPv6 in the routers, and it would have been suicide to go to a pure IPv6 implementation. With Vista, most people will, in a few years, upgrade to Vista, switch to Linux or OSX, or be ready to accept being cut off from direct access to the internet. That means that 95% of the worlds desktops with be IPv6 first and formost, and ISPs can confidently move to an IPv6 backbone without fear of cutting off their customers.
Either way, I don't think that NAT is dead. It might change form a bit, but those in control of the numbers are not likely to just start giving them away, just because they have an over abundence of them any more than the Media Barons just give out music just because they have an over abundance of copies of that.
Like what?
What the is it that you expect the average NAT user to be doing that matters with the "end to end paradigm of the internet"?
I am a geeky person, and know what? My NAT-ing Linksys router has never failed to meet my needs for my home internet/home network. In fact, it has a bunch of stuff that I am never likely to use. Ever.
Why are you putting any value on "end to end" when one of those legs is nothing but a threat to the average user (unsolicited inbound).
If it is NOT a threat and you want the inbound traffic, you got a full blown firewall and a DMZ and NAT and know how to configure it, and guess what! Still not a problem!
People like you annoy the piss out of me.
"NAT is not a firewall" (no, it's not, but for the purposes of why an average person that buys them thye sure as fuck are, and WAAYY better than any software solution running on Windows.)
"End to end" Eh? half of that is NOT WANTED. Grandma Joe does not FUCKING WANT any inbound traffic PERIOD. None. Get it? So her "paradigim" is sufficiently fulfilled by "End to".
Didn't we get this thing tested in 2002. Haven't we learned anything? or has it all been forgotten?
http://www.internetnews.com/dev-news/article.php/1 486981
Even when Vista comes out it won't have instant effect on the over all system, but the load will grow in time and the system will have to be customed for that.
Before freaking out. Look at their algorithm.
From TFA:
"""For example, Microsoft designed Vista so PCs will query in the address of the type assigned to the system, the company said.
Computers that don't have an IPv6 address will not do IPv6 queries, the company said.
Also, when a machine does do an IPv6 query, it will do so only to a DNS server that responded to its initial IPv4 query, the company said. "Name errors are not repeated, so the Net traffic will less than double," it said."""
Ok, then you're way too attached to the old times. Nobody I know gives a damn about a couple percent extra overhead in network traffic (especially when the available bandwidth keeps growing, and my ISP upgrades it for free once in a while), however, everybody loves the idea of getting rid of NAT, having a /48 for themselves, automatic address configuration, and lots of other nice things that come with IPv6. Probably also lower ping times, due to improved routing. I wish they also upgraded the port numbers to 32 bits, but ah well.
IPv6 means your TCP packets will get 20 bytes larger. That means that your downloads will take about 1.5% longer. Oh the horror!
Why yes, Geoff Huston has analyzed the problem pretty thoroughly:
http://www.potaroo.net/tools/ipv4/
So, we're looking at just under 6 years.
BTW, Geoff Huston is a guru.
A friend of mine sent this to me this morning when we were discussing this:
.LOCAL TLD. The last time I looked, about 40% of the traffic to global name servers was this bogus windows shit. If Vista fixes that, then its release will be a net positive.
"I manage the operation of about 70% of the world's root DNS servers, and run authoritative TLD servers (mostly secondaries) for about 30% of the world's TLDs (mostly CCtlds). We measure carefully.
IPv6 isn't even 0.01% of the total, and doesn't matter.
The real load on name servers comes not from IPv6 but from Windows machines flooding the world with RFC1918 in-addr requests and with lookup requests in the
We started and sponsor the AS112 Project ( http://public.as112.net/ ) to try to mop up some of the Windows mess. No one believes that we'll need to extend it to IPv6, but we're paying attention."
He is of course right, the nonsense windows does has been a problem for years.
Need Mercedes parts ?
If you call it "accidental" yourself, it's not security in the first place. That's like "hiding" a flawed service on a non-standard port and calling it secure.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Bullshit.
NAT does help against a certain sort of attack. Maybe only against this sort of attack. Fortunately, against the propably most common sort of attack you can't do anything about. (You can to something about infected websites: use a different browser).
Security is not binary, it's relative. NAT adds yet another bit of security for your computer. Can you feel save with NAT only? Hell, no! Can you feel saver than without NAT? Ask my Windows-using friends that hook their machines up to the net directly how many times they had to reinstall windows untill they could download the security fix from MS faster before they were hit again. Can't remember which worm it was (it khad a bug in its implementation and kept rebooting the machines, you'll know which one I mean). I'm not running Windows, so I didn't care. But fior them NAT would have been a good protection at the time.