Akamai DNS Outage Messes up Net 522
katre writes "Checking all my favorite sites this morning, I saw that about half a dozen seem to be offline. Trying to figure out why, I found an interesting article on the front page at http://isc.incidents.org/. Seems that the problems at Akamai are screwing over Yahoo, Google, Microsoft, Fedex, Xerox, Apple, and others. Whatever happened to my decentralized net with no single point of failure?"
I'm definitely not a technical guru... (Score:5, Interesting)
Re:I'm definitely not a technical guru... (Score:5, Insightful)
Re:I'm definitely not a technical guru... (Score:5, Informative)
Re:I'm definitely not a technical guru... (Score:5, Interesting)
I realise that some jobs are much more inpractical when there is downtime, but not everybody even here on
Re:I'm definitely not a technical guru... (Score:5, Interesting)
Re:Interesting... (Score:5, Funny)
(Apologies to whomever I'd seen that from before.)
Re:Interesting... (Score:4, Funny)
Re:Interesting... (Score:4, Informative)
You are also confusing their cache servers with their DNS servers. They're completely different.
Akamai does use *some* win servers (Score:4, Informative)
Re:Uh (Score:3, Interesting)
Re:Uh (Score:5, Insightful)
It is misleading to refer to the box as a "Linux" box. Was it really the kernel that was at fault for the machine being cracked, or was it a bug in one of the daemons that the machine was running? There are differences between a Linux box that runs BIND and another that runs EZ-DNS (or whatever).
How about this: Instead of labelling the Akamai boxes that have problems as "Linux" boxes, label them as "BIND" boxes, or whatever DNS server it is that it runs. Perhaps there's a FreeBSD machine in there that is having similar problems.
It is allowable, though, to refer to a Windows box as just that. MS ships an all-in-one product, and seldomly do admins use Windows to run BIND, Apache or other OSS servers.
All of this hand-ringing in an effort to paint "Linux" as bad, or as "just as bad" is dopey. One might as well point a finger at the administrator of the machine that was hacked, the services that were running on it, etc. Most Windows problems are caused by the same thing too. It is wiser to point at the admin (and the services one chooses to run) than to point at the OS, or the kernel.
Re:I'm definitely not a technical guru... (Score:5, Insightful)
*Live* and *work* are too entirely different things. I could not get any of my work done with network access.
Re:I'm definitely not a technical guru... (Score:5, Funny)
Errr, obviously I mean without network access. Although I'd spend less time on Slashdot so perhaps I can't get my work done with network access.
Re:I'm definitely not a technical guru... (Score:5, Insightful)
F'real. To think, they [barnesandnoble.com] did [barnesandnoble.com] all [barnesandnoble.com] that [barnesandnoble.com] even before the Altair was a twinkle in Ed Roberts' jockey shorts!
Re:I'm definitely not a technical guru... (Score:5, Funny)
Offline working can be surprisingly productive
Because that means then you aren't on slashdot?
er....brb, I should probably get back to work.
Re:I'm definitely not a technical guru... (Score:5, Insightful)
Anyways butting both DNS records on the same point of failure breaks standards. These companies deserve to be hit hard (PR wise) for not building a roburst network.
Re:I'm definitely not a technical guru... (Score:4, Insightful)
Re:I'm definitely not a technical guru... (Score:3, Interesting)
Re:I'm definitely not a technical guru... (Score:5, Insightful)
"DNS was not quite designed in such a way" (Score:5, Insightful)
DNS was designed to be robust enough. Not one root server but many (ok, that's the weak point, we've all seen many DDoS against them, but it's not THAT bad). All zones are handled by their own servers, and (in theory) multiple servers for each zone. All in all, it's not a bad design.
If what happened was that someone put all the servers behind one link, it's not DNS' fault, the BOFH there screwed up (and considering it's akamai, they should not have done that).
(If that's not what happened, sorry, I couldn't RTFA, it's slashdotted or there's some sort of DNS problem there too).
novell and dns... (Score:4, Insightful)
One of the neat things was the log screen that showed dns actions and you could follow the trail of dns requests to see how they were resolved. what makes this not O/T is that i beleive that this went into a log.
The reason that I think about that is, if DNS stopped working, i'm not sure that i have cached numbers that i could easily get to....
eric
Doesn't work that way any more (Score:3, Insightful)
Unless the server that lives at IPaddress W.X.Y.Z only hosts 1 server, and that server has it's documents in the server root folder. Most webservers any more use virtual name services to map HTTP requests to the right "web server" and set of documents.
My personal server runs 7 domains with 12 or 13 sites. Some have real docroot folders, some use the default "you aren't looking in the right place" set of docs. But using an IP address to access a web site probably won't work in these days of many servers
Re:I'm definitely not a technical guru... (Score:5, Informative)
go to <a href="http://www.dnsstuff.com/">your favorite DNS lookup page</a> and lookup the akamai hosted site. (getting the real address rather than the akamized version) Now open your hosts file and add that in.
Now you will always get the non-akamized version of that site. Akamai problem solved.
I keep google in my hosts just so I can be sure that DNS issues like this won't cut me off from my favorite search engine.
Re:I'm definitely not a technical guru... (Score:4, Funny)
add esignal too (Score:3, Insightful)
hope the al quedas aren't taking notes on this..
Well . . . (Score:5, Insightful)
Its still there, and you're using it. The only organizations affected by this are those who chose to use a service that acts as a single point of failure.
Re:Well . . . (Score:5, Insightful)
Its still there, and you're using it. The only organizations affected by this are those who chose to use a service that acts as a single point of failure.
You said it brother (and beat me to the punch). This is a clear talking talking point for anyone who is attempting to justify avoiding a monoculture. When you brings up Microsoft, around which revolve a number of good examples of the dangers of monoculture, you risk the debate turning political and will almost certainly be discounted as a Linux/Apple/Unix zealot by at least some in the listening audience. It is very worthwhile to have other examples besides Microsoft and cotton when explaining the risks.
Re:Well . . . (Score:3, Insightful)
Sure sounds like a single point of failure to me.
</sarcasm>
Root servers not decentralized? (Score:5, Insightful)
The root nameservers are the most obvious example...
The most obvious example? The fact is that there are 13 of them, in widely scattered locations across the globe, and it's not decentralized?
Damn man, what exactly would you consider "decentralized" then?
Root servers go down all the time. It's not particularly unusual. There's THIRTEEN of the things. Up to 8 have been down at once with no major effects on the network, IIRC.
Re:Root servers not decentralized? (Score:5, Interesting)
Damn man, what exactly would you consider "decentralized" then?
Akamai has 13, in widely scattered locations, as well. That in itself doesn't make them sufficiently decentralized.
The reason the root servers don't have this problem is that they don't all run the same software (anymore) and aren't all administrated by the same people.
I'm making an assumption here, of course, but I will not be a bit surprised if it turns out that Akamai loaded something that hit all their routers at once.
Re:Root servers not decentralized? (Score:5, Interesting)
The root nameservers are not under decentralized political control, which still makes them a single point of failure, albeit a different kind of failure.
Re:Root servers not decentralized? (Score:5, Insightful)
To be truly decentralized not only do we need more than 13 overloaded root servers, but no one entity should be authoritative. How that's done is left as an exercise to the reader.
Missed the point... (Score:3, Insightful)
In this case, Akamai had some sort of major issue. Okay, fine. Fair enough.
But the root servers themselves are a bad example to point to for a "single point of failure". They're not. The root servers, by themselves, are very robust, widely scattered, and any one of them can, in theory, handle the whole load. Admittedly, for the root, that load ain't a heck of a lot by comparison.
Now, the DNS system itself has several thousand single points of failure, depe
Re:Root servers not decentralized? (Score:4, Insightful)
I'm sorry, my friend, but it most certainly does mean decentralized. Here's why:
Decentralized means "having power or function dispersed from a central to local authorities". Each individual top-level nameserver operates entirely independantly of the others to the extent that it is capable of remaining completely operational in the absence of the others.
DNS is actually the epitome of a decentralized service--as perfect an example as there comes. Assuming it is implemented as perscribed in the RFCs, there is no single point of failure (an incorrectly implemented DNS system is not the result of a poor design, it's the result of poor implementation--you can't blame DNS).
There are 13 totally and completely independant top level servers. The only thing that ties them together (in a practical sense) is that they speak the same protocol and synchronize with eachother if possible. All top-level domains have at least two nameservers (generally much more), and all second level domains are required to have at least two authoratative nameservers as well. If any one of these servers in the whole chain fails at any time, the others will pick up the slack--it's part of the protocol.
Implementing this service correctly such that no failure will take down your own domain is left as an exercise for you. It's your domain and your nameserver. You're responsible for insuring that it works. The "system" correctly assures that each one of your own nameservers will be queried until one responds. If you take all of your own nameservers offline, there's obviously nothing that the DNS system can do to help you. That's what Akamai's problem was. Don't blame DNS.
Whatever happened to my decentralized net? (Score:5, Funny)
Whatever happened to my decentralized net with no single point of failure?
Its there. Get out your old Usenet reader. See, you still have your porn.
points of failure (Score:5, Interesting)
I think everyone has several "single" points of failure -- my cable modem dies at least twice a month and my wireless router conks out at least twice a day
Re:points of failure (Score:3, Funny)
Re:points of failure (Score:3, Interesting)
Clear your cache (Score:5, Informative)
If you clear your cache, you will probably get the new entries, unless your ISP hasn't caught onto the problem yet.
Re:Clear your cache (Score:5, Informative)
ipconfig
Re:Clear your cache (Score:5, Informative)
lookupd -flushcache
ok (Score:3, Funny)
Good morning, Mr. Gore. (Score:5, Funny)
How ya doin', Al?
Re:Good morning, Mr. Gore. (Score:3, Insightful)
Al Gore was talking about creating *legislation* that helped foster the Internet.
Why do Conservatives bitch to high hell when anything they say it taken out of context, but repeat dumb quotes by Liberals out of context for years and years?
Maybe they should stop worrying so much about people who havn't had a political job in 4 years and worry about the people who do have important jobs now and are doing them so amazingly badly.
Re:Good morning, Mr. Gore. (Score:4, Funny)
Re: Good morning, Mr. Gore. (Score:5, Funny)
In Soviet Russia the world revolves around YOU!
"He's sick of the jokes boys. Let's shut 'em down." -- Chief Wiggum
Ironically... (Score:5, Informative)
Having an 'incident' of their own... (Score:3, Funny)
Single point of failure (Score:5, Funny)
Hmmm (Score:5, Funny)
Whatever happened to your decentralized net? (Score:5, Insightful)
Too bad even the term P2P raises so many red flags with certain Associations of America.
Re:Whatever happened to your decentralized net? (Score:5, Informative)
They have a private cached network they sell access to. It's like taking a service road around crowded highways to get closer to the final destination.
One of the companies I used to work for used Akamai, nice network... not so great customer service unless you are a really big customer.
2nd time in a month (Score:5, Informative)
DNS issue... (Score:4, Insightful)
Re:DNS issue... (Score:5, Funny)
I'll be at 127.0.0.1 until this blows over.
releted to linux kernel DoS exploit? (Score:4, Interesting)
Re:releted to linux kernel DoS exploit? (Score:5, Funny)
Iam now trying to send the porn but the mail server is unreachable.
Yahoo (Score:3, Funny)
my failure (Score:3, Funny)
My central point of failure...
Preformance vs reliability (Score:3, Interesting)
Re:Preformance vs reliability (Score:3, Funny)
You really can have both!.. have you tried Viagra [sildenafil.com]?
Lack of notification (Score:5, Interesting)
Are these guys so convinced of their omnipotence and indispensibility that they don't feel the need to communcate with the world about what is going on?
sPh
Re: (Score:3, Interesting)
Re:Lack of notification (Score:4, Funny)
Yeah, they should post a notice on their web page, saying their internet connection is down. Bastards.
Re:Lack of notification (Score:3, Insightful)
Shame that. Might warrant a blurb tonight on the news, but it certainly won't dislodge the scroller that has the most recent body count in it, and probably no "this just in" by the talking heads.
I'm surprised... (Score:5, Funny)
Well, it wasn't out for that long ... (Score:4, Informative)
Pwned by CNAME to Akamai?
(You can't have CNAME records for the base domain, hence google.com would have had an A record instead, whilst www.google.com would have been a CNAME to akamai)
can we figure out... (Score:4, Funny)
(come on, it's funny. at least I didn't suggest blaming SCO...)
Akamai is evil! (Score:3, Insightful)
Lack of multiple points of failure (Score:5, Insightful)
"Well, Akamai has a few million DNS boxes, if we put everything there we'll be fine! That's not a single point of failure!"
Yeah, about that... multiple vendors may have been a good idea in retrospect instead of just one monolithic provider.
Time to re-examine the definition of Single Point of Failure.
You know... (Score:5, Funny)
Let's see so far today.. We had a report on Yahoo... They're down. A report to a virus linked to Symantec.. they are up and down. We always link to Google, they are having problems... wooo. Now we just need another patent from Microsoft to bring them down... which by my records shouldn't be too long.
Comment removed (Score:3, Insightful)
Need my Xerox fix! (Score:5, Funny)
Checking all my favorite sites this morning...
Microsoft, Xerox and FedEx are some of my favorite sites too! But due to the outage I'm stuck slumming it here on Slashdot...
We fixed it quick (Score:5, Funny)
We also developed a new DNS protocol in the process. ESEDOIM: Extremely slow encrypted DNS over instant messenger. Who wants to write an RFC?
Re:We fixed it quick (Score:5, Funny)
Akamai (Score:3, Informative)
For those that were wondering why it would affect DNS; Akamai somehow tinkers with DNS and BGP to redirect content to their edge servers.
As for Akamai being outdated, it still seems to me that its a good idea for Yahoo and some of the high traffic sites on the net. Akamai has thousands of distributed servers colocated with ISPs and NAPs. And they do seem to absorb nasty bursts in traffic (ie Star Report) better than a centralized server farm. But for their own sake, they better hope to not have another repeat of todays events.
Akamai's DNS black magic (Score:5, Interesting)
It's not like a092156fg.akamai.net is in Seattle and k1039665.akamai.net is in Saskatoon. Instead, all of *.akamai.net goes to whatever cluster is "closest" to the requesting IP (based on BGP, Colonel's Secret Recipe, etc)
So if Akamai's DNS gets screwed up, I would expect major weirdness. And as more sites join EdgeSuite (where you host your entire domain on Akamai's servers & DNS) the effect must magnify.Of course, I could be completely wrong. I'm not a routing god, just a guy who thinks Akamai is a cool hack.
NANOG Postings (Score:5, Informative)
From here neither www.google.com, nor www.apple.com work. Both seem to return CNAMES to akadns.net addresses (eg, www.google.akadns.net, www.apple.com.akadns.net), and from here all of the akadns.net servers listed in whois are failing to respond.
I wonder (Score:3, Interesting)
This would seem an obvious solution. You are allowed to have many nameservers you know...
Success considered harmful? (Score:4, Insightful)
If a product or service, such as Akamai, does their job very well, everybody will want to use them. If everybody uses them, you create a single point-of-failure. Any design flaw in that product or service becomes a disaster, simply through volume. Does this mean a successful product or service can actually be a bad thing for people?
Other examples include just about anything from Microsoft, older versions of Sendmail and BIND (worm-of-the-week problem), and Firestone tires.
(I'm not trying to advocate communism, excessive government regulation, or anything like that. So fanatical libertarians, conspiracy theorists, etc., can put down the rant-o-matic flamethrowers.
Comments?
Correction (Score:4, Insightful)
Point of Failure (Score:3, Funny)
Here's the Answer (Score:3, Funny)
You didn't pay the rent.
I noticed this problem this morning and 1st thing (Score:3, Insightful)
I tried pinging google and I was getting a reply so my first thought was, there is something terribly wrong at verizon DSL. I must make the most of what fragmented connection I have now before its down all day and I'm stranded actually doing work.
Thats when I started opening every story on slashdot's homepage in different tabs and setting them all to threshold 3, threaded... Just incase.
Come to think of it, I'm going to change my slashdot bookmark from slashdot.org to 66.35.250.151 just incase of DNS failure.
Need my SlashCrack
Luckily it's 99.45% shit to begin with. (Score:5, Funny)
Dogpile (Score:3, Interesting)
I wonder if Google will now turn to fully manage all their assets themselves...
Tech details (Score:5, Informative)
Since a great many big name sites use Akamai, this effectively made large parts of the Internet unreachable. The destination servers themselves were up, but clients were unable to turn names (like www.example.com) into network addresses (like 192.0.2.42).
As Akamai maintains dozens, if not hundreds, of DNS servers across the globe, it is extremely unlikely that this was due to a normal equipment failure or DoS attack. Some kind of internal system trouble is much more likely. Whether a deliberate attack, or an accident, is unknown to me at this time. It could just be an internal configuration change blew up in a really bad way. Sh*t happens.
I do not know if this was just an Akamai DNS problem, or if other Akamai services were also affected.
Due to the way Akamai is usually implemented, it happened that, in many cases, the second-level domain names (like example.com) worked, but subdomains (like www.example.com and mail.example.com) did not. This is because most organizations put in CNAME records (pointing to names in *.akadns.net) for the subdomains. You cannot use a CNAME record for a domain that has other records, though, so most domains still had traditional A records, on their own nameservers, at the second-level.
The following sites/organizations are known to use Akamai: Yahoo, Google, Microsoft, Altavista, FedEx, Xerox, Apple
Reminds me of a story (Score:5, Interesting)
Being a geek, I thought up a list of about 30 sites to ping, scattered across the US. (.govs and
I freaked out a bit when the mid-atlantic seaboard came up missing. I crossed my fingers hoping that it was just some idiot who'd accidently cut one of the main fibers (which it what it ended up being) and not that Washington DC was now a big hole in the ground.
From Akami's Page (Score:4, Informative)
How Sites are Coming Back Online (Score:5, Informative)
Google pulled references for akamais dns servers a short period ago. they are presently serving their own dns requests.
Also:
People seem to be getting around this by changing their DNS entries.
E.g. www.yahoo.com always used to be a CNAME for www.yahoo.akadns.net. But
now:
# host www.yahoo.com
www.yahoo.com is an alias for www.dcn.yahoo.com.
www.dcn.yahoo.com has address 216.109.118.64
www.dcn.yahoo.com has address 216.109.118.65
www.dcn.yahoo.com has address 216.109.118.66
www.dcn.yahoo.com has address 216.109.118.67
www.dcn.yahoo.com has address 216.109.118.68
www.dcn.yahoo.com has address 216.109.118.69
www.dcn.yahoo.com has address 216.109.118.70
www.dcn.yahoo.com has address 216.109.118.71
www.dcn.yahoo.com has address 216.109.118.72
www.dcn.yahoo.com has address 216.109.118.73
www.dcn.yahoo.com has address 216.109.118.74
www.dcn.yahoo.com has address 216.109.118.75
Which is owned by Yahoo! (via HotJobs.com).
Whatever happened to my decentralized net... (Score:4, Insightful)
Outsourcing and consolidation.
LK
Hmm . . . (Score:3, Interesting)
Hmmm, corporate whore much? Slashdot, Debian and my own two sites seem to be working just fine. Maybe the sites you choose to visit just don't get the 'net and it's decentralized nature.
it's like your rights, you can sign them away (Score:3, Interesting)
as I understand it, akamai is a distributed content hosting/caching service that also does DNS server services. they put a blade in your local ISP under contract, and popular pages from their customers serve off the local akamai server cache. they handle the DNS for those sites as I understand. if their blade caches get fed evil data, you get evil data, and www.fartblossom.org may disappear.
you can kill DNS by screwing up your own router, too. lots of ways to kill a distributed service that requires everybody to cooperate on a common set of standards and parameters.
Created SPoF (Score:5, Interesting)
The problem is that those sites created their own single point of failure by all using Akamai for DNS. When Akamai DNS fails, sites that depend on it for their own DNS fail.
It used to be nearly impossible for this to happen. The original rules for DNS were that you had to have at least 2 nameservers for your domain, preferrably 3 or more, and they couldn't be on the same physical networks. With that rule having a single network go down rarely made any domain unresolvable (backbone networks whose outages could render dozens or hundreds of other networks unreachable being the exception). Maybe we should put the old nameserver-diversity rules back into place.
"Caught in a BIND" (Score:4, Informative)
Robert
Re:decentralized DNS is a pipe dream (Score:3, Insightful)
That's not the DNS outage problem -- the site is simply slashdotted.
Re:decentralized DNS is a pipe dream (Score:4, Informative)
Re:Terrorist attacks, anyone? (Score:5, Informative)
Re:decentralized net? (Score:3, Interesting)
Now now. I'm sure most of these people don't actually mean "is the Internet down"; they really mean "is something wrong on your end?", they just lack the technical experience and vocabulary to really understand things.
When a number of sites stop working, it can be for several r
Happy now? (Score:3, Informative)
Updated June 15th 2004 14:31 UTC (Handler: Lenny Zeltser)
Akamai DNS outage
Akamai DNS problem
Starting at around 8:30 am EDT (12:30 UTC), a number of sources started to report a widespread Akamai DNS issue. Large web sites, which use Akamai for its DNS service, did no longer resolve. Effected sites are Yahoo, Google, Microsoft, Fedex, Xerox, Apple and likely many others.
At this time (10:30 am EDT), some effected domains removed the Akamai DNS servers and are reachable again usin