All name servers on one segment?
Jim Reid
jim at rfc1035.com
Mon May 7 15:42:31 UTC 2001
>>>>> "Kenneth" == Kenneth Porter <shiva at well.com.invalid> writes:
Kenneth> Given the recent DNS attack on Microsoft, does it make
Kenneth> sense for a large site to have all its name servers on
Kenneth> one segment?
No. It makes no sense for ANY site or DNS zone to have ANY single
point of failure in their DNS configuration. Read RFC2182: "Selection
and Operation of Secondary DNS Servers".
Kenneth> I'm a HostPro hosting customer and I've noted that all
Kenneth> their name servers are in 209.196.128/24. That seems
Kenneth> particularly vulnerable.
Indeed.
Kenneth> HostPro also doesn't keep domain records consistent with
Kenneth> root records: For my two accounts they list
Kenneth> dns[12].hostpro.net as my name servers in NSI's records,
Kenneth> but the domain itself (sewingwitch.com) lists
Kenneth> dns[12].netlimited.net for NS records. All 4 servers are
Kenneth> in the same netblock, which suggests a single point of
Kenneth> failure.
Yup.
Kenneth> For an economy hosting service, HostPro has done a pretty
Kenneth> good job for me. Their handling of DNS leaves me a bit
Kenneth> less than confident, though. Are my concerns misplaced?
Not at all. They are perfectly valid and reasonable.
There are better options. For small amounts of DNS data, there's a
free, highly-available slave DNS service at secondary.com. This is
provided on Nominum's professional DNS hosting service, GNS. You can
find out more information about that at http://www.nominum.com,
including a White Paper on the GNS architecture. Disclaimer: I work
for Nominum and helped design GNS.
More information about the bind-users
mailing list