All name servers on one segment?

[Jim Reid]

>>>>> "Kenneth" == Kenneth Porter <shiva at well.com.invalid> writes:

    Kenneth> Given the recent DNS attack on Microsoft, does it make
    Kenneth> sense for a large site to have all its name servers on
    Kenneth> one segment?

No. It makes no sense for ANY site or DNS zone to have ANY single
point of failure in their DNS configuration. Read RFC2182: "Selection
and Operation of Secondary DNS Servers".

    Kenneth> I'm a HostPro hosting customer and I've noted that all
    Kenneth> their name servers are in 209.196.128/24. That seems
    Kenneth> particularly vulnerable.

Indeed.

    Kenneth> HostPro also doesn't keep domain records consistent with
    Kenneth> root records: For my two accounts they list
    Kenneth> dns[12].hostpro.net as my name servers in NSI's records,
    Kenneth> but the domain itself (sewingwitch.com) lists
    Kenneth> dns[12].netlimited.net for NS records. All 4 servers are
    Kenneth> in the same netblock, which suggests a single point of
    Kenneth> failure.

Yup.

    Kenneth> For an economy hosting service, HostPro has done a pretty
    Kenneth> good job for me.  Their handling of DNS leaves me a bit
    Kenneth> less than confident, though. Are my concerns misplaced?

Not at all. They are perfectly valid and reasonable.

There are better options. For small amounts of DNS data, there's a
free, highly-available slave DNS service at secondary.com. This is
provided on Nominum's professional DNS hosting service, GNS. You can
find out more information about that at http://www.nominum.com,
including a White Paper on the GNS architecture. Disclaimer: I work
for Nominum and helped design GNS.