Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500
From: David Lang (david.lang@digitalinsight.com)
Date: 02/18/03
- Previous message: stefmit: "[fw-wiz] Re: insecurity in internet connection thro cable modems"
- In reply to: Chuck Swiger: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: David Lang <david.lang@digitalinsight.com> To: Chuck Swiger <chuck@codefab.com> Date: Mon, 17 Feb 2003 20:56:16 -0800 (PST)
also some large websites don't load balance behind a single IP address,
instead they use lots of IP addresses.
according to the post 9-11 talks from the folks reunning the turner
websites they haven''t found a load balancer they trust to use in their
high-bandwidth environment (>2Gb of internet bandwidth on 9-11 and I think
they mentioned that they are up above 3Gb now) they move servers from one
site to another and change DNS to balance their load below is a list of
the cnn.com servers right now, if something significant ewere to happen
the list would get significantly longer.
David Lang
web:~# dig cnn.com
; <<>> DiG 9.2.1 <<>> cnn.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24772
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cnn.com. IN A
;; ANSWER SECTION:
cnn.com. 115 IN A 64.236.24.20
cnn.com. 115 IN A 64.236.24.28
cnn.com. 115 IN A 64.236.16.20
cnn.com. 115 IN A 64.236.16.52
cnn.com. 115 IN A 64.236.16.84
cnn.com. 115 IN A 64.236.16.116
cnn.com. 115 IN A 64.236.24.4
cnn.com. 115 IN A 64.236.24.12
;; Query time: 30 msec
;; SERVER: 64.81.45.2#53(64.81.45.2)
;; WHEN: Mon Feb 17 22:00:27 2003
;; MSG SIZE rcvd: 153
On Mon, 17 Feb 2003, Chuck Swiger wrote:
> Date: Mon, 17 Feb 2003 11:39:57 -0500
> From: Chuck Swiger <chuck@codefab.com>
> To: "'firewall-wizards@honor.ics..." <firewall-wizards@honor.icsalabs.com>
> Subject: Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500
>
> Reckhard, Tobias wrote:
> [ ... ]
> > I'd be interested in other, real-world reasons why DNS responses
> > should be allowed to be over 512 bytes in size. Not out of
> > opposition, but out of interest.
>
> MX records for popular domains:
>
> 58-sec% dig aol.com. @pi.codefab.com. mx
> ; <<>> DiG 8.3 <<>> aol.com. @pi.codefab.com. mx
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 30
> ;; QUERY SECTION:
> ;; aol.com, type = MX, class = IN
>
> ;; ANSWER SECTION:
> aol.com. 1H IN MX 15 mailin-02.mx.aol.com.
> aol.com. 1H IN MX 15 mailin-03.mx.aol.com.
> aol.com. 1H IN MX 15 mailin-04.mx.aol.com.
> aol.com. 1H IN MX 15 mailin-01.mx.aol.com.
>
> ;; AUTHORITY SECTION:
> aol.com. 1H IN NS dns-01.ns.aol.com.
> aol.com. 1H IN NS dns-02.ns.aol.com.
> aol.com. 1H IN NS dns-06.ns.aol.com.
> aol.com. 1H IN NS dns-07.ns.aol.com.
>
> ;; ADDITIONAL SECTION:
> mailin-02.mx.aol.com. 5M IN A 64.12.136.89
> mailin-02.mx.aol.com. 5M IN A 64.12.136.121
> mailin-02.mx.aol.com. 5M IN A 64.12.137.89
> mailin-02.mx.aol.com. 5M IN A 64.12.137.184
> mailin-02.mx.aol.com. 5M IN A 64.12.138.89
> mailin-02.mx.aol.com. 5M IN A 64.12.138.120
> mailin-03.mx.aol.com. 5M IN A 64.12.136.217
> mailin-03.mx.aol.com. 5M IN A 64.12.136.249
> mailin-03.mx.aol.com. 5M IN A 64.12.137.121
> mailin-03.mx.aol.com. 5M IN A 64.12.137.152
> mailin-03.mx.aol.com. 5M IN A 64.12.138.57
> mailin-03.mx.aol.com. 5M IN A 64.12.138.120
> mailin-04.mx.aol.com. 5M IN A 152.163.224.122
> mailin-04.mx.aol.com. 5M IN A 64.12.136.153
> mailin-04.mx.aol.com. 5M IN A 64.12.137.121
> mailin-04.mx.aol.com. 5M IN A 64.12.137.152
> mailin-04.mx.aol.com. 5M IN A 64.12.138.89
> mailin-04.mx.aol.com. 5M IN A 205.188.156.154
> mailin-04.mx.aol.com. 5M IN A 64.12.138.152
> mailin-01.mx.aol.com. 5M IN A 152.163.224.26
> mailin-01.mx.aol.com. 5M IN A 64.12.136.57
> mailin-01.mx.aol.com. 5M IN A 205.188.156.122
> mailin-01.mx.aol.com. 5M IN A 64.12.137.89
> mailin-01.mx.aol.com. 5M IN A 64.12.137.184
> mailin-01.mx.aol.com. 5M IN A 64.12.138.57
> mailin-01.mx.aol.com. 5M IN A 64.12.138.152
> dns-01.ns.aol.com. 44m44s IN A 152.163.159.232
> dns-02.ns.aol.com. 44m44s IN A 205.188.157.232
> dns-06.ns.aol.com. 1d16h44m41s IN A 149.174.211.8
> dns-07.ns.aol.com. 1d16h44m41s IN A 64.12.51.132
>
> ;; Total query time: 222 msec
> ;; FROM: sec.codefab.com to SERVER: pi.codefab.com. 12.38.161.140
> ;; WHEN: Sun Feb 16 19:07:29 2003
> ;; MSG SIZE sent: 25 rcvd: 699
>
> -Chuck
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Luca Berra: "Re: [fw-wiz] help..."
- Previous message: stefmit: "[fw-wiz] Re: insecurity in internet connection thro cable modems"
- In reply to: Chuck Swiger: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
