Will Vista Overload the DNS?

Jamie Northern writes, "Thanks to new directory software, Windows Vista could put a greater load on Internet DNS servers. But experts disagree over whether we're headed for a prime-time traffic jam or an insignificant slowdown. Paul Mockapetris,inventor of DNS, believes Vista's introduction will cause a surge in DNS traffic because the operating system supports two versions of the Internet Protocol (IPv4 and IPv6). David Ulevitch, chief executive at OpenDNS, a provider of free DNS services, said Vista's use of IPv6 will not disrupt the Internet at large. 'DNS can be improved, but predicting its collapse is just spreading FUD.'"

But without FUD...

There would be no news....

Re:But without FUD...

It is considered insightful to remark that you consider someone else's comment insightful? Without even expounding the slightest on how it was so?

If that is the case, I must say that your pointing out the insightfulness of the GP was in itself quite insightful.

Please mod me up.

one solution comes to mind

just friggin deploy ipv6

Windows IPv6 support

If memory serves, Microsoft had an IPv6 stack for Windows 2000 that you could download from Microsoft's research site. In XP, IPv6 is included, but is disabled by default. A single command enables it. My understanding is that in Vista, IPv6 will be enabled by default.

Honestly, we're going to run out of new IPv4 addresses to hand out in a few years. We need IPv6, and I think Microsoft would be foolish not to enable it by default in Vista.

Re:Windows IPv6 support

we're going to run out of new IPv4 addresses to hand out in a few years.

I agree with you that it'll happen in the long term.

BUT, in the short term, (w/c)ouldn't the shortage be helped by redistributing some of the address floating around unused on Class A & B networks?

It's funny, because some of the arguments made by Class A holders against giving back their block, is that they don't want to spend the time & money and/or go through the hassle of renumbering their networks if the arrival of IPv6 is going to moot the issue.

And of course, nobody wants to spend the money to implement IPv6 unless they have to.

Re:Windows IPv6 support

What you're missing is that the cost of that static address is administration (and pure profit), not rarity. Dynamic IPs on ADSL don't save ISPs all that much IP space. Most people have always-on routers these days, not USB modems, so 80%+ users are always connected. Your dynamic IP isn't NATed, so you might be using up as much as a 1/5th of an IP by buying a static one. Big deal, when that same IP could have been used up by somebody on a cheap entry-level plan that costs only slightly more than your $20/month.

The problem comes with ADSL is that you have to have the IPs to be in the game. You need static IPs for everybody (not because you couldn't NAT, but because users expect a REAL IP) which means a /16 only buys you about 65024 customers. (Some networks don't like you handing out IPs that look like broadcast or network addresses in a /24, so you'd be lucky to use the full 65536 IPs.)

So, even with migration from dialup, usage is going up, and if current trends continue then IP space is going to get rather tight from all the ADSL users.

IPv4 space exhaustion

Why yes, Geoff Huston has analyzed the problem pretty thoroughly:

http://www.potaroo.net/tools/ipv4/ [potaroo.net]

So, we're looking at just under 6 years.

BTW, Geoff Huston is a guru.

Re:one solution comes to mind

IPv6 is going to be forced along by the US Dept of Defense, which is pushing to get its networks on IPv6 within the next couple of years. This will cause much of the rest of the federal government to do the same starting with those agencies that work most closely with the military (such as DHS), which in turn have close working relationships with other agencies and will drag them along. States will be pulled into it as a result of their ties with the federal government, and then local governments will be forced to come along for the ride eventually. With all of these ties in place, more ISPs will start directly supporting IPv6.

Incidentally, IPv6 support has only just been added to the DOCSIS standards with the release of 3.0. However, even by 2011, barely more than half of the nationwide cablemodem infrastructure will be DOCSIS 3.0-compliant under current estimates, and that doesn't mean that the cablemodems themselves will be compliant, as DOCSIS 3.0 is backwards-compatible. I'd go for it now if I could, but somehow I suspect that Time-Warner isn't going to have things ready next month.

Why any different than Linux or MacOS X?

Linux and MacOS X are both capable of having both IPv6 and IPv4 stacks, and in many cases this is active by default. Why would Vista cause any more problems?

If you have a good setup then you will have a lookup cache on your local machine storing both IPv6 and IPv4 addresses for each site. Therefore only one lookup should need to be done.

Re:Why any different than Linux or MacOS X?

> why would there be any more requests than there are now with Windows? After all a single DNS lookup should easily get the AAAA and A address in one shot, unless I am misunderstanding the protocol.

I think you are: you can only request one record type at a time. So you ask either A or AAAA; and given that the rule of thumb is to prefer IPv6 if present, first goes your AAAA and then your A question.
What you _could_ do is ask for the type ANY, which will make the server return everything it happens to know. But then you have no guarantee the info is exhaustive: the server will only give back those records that it already has in its cache; it will not ask the authoritative name server. So then you might miss something.

What generates a lot more DNS traffic than AAAA records is the fact that the world has forgotten that URLs terminate with a trailing dot. If you leave it out, it's a _relative_ URL and the resolver on your machine has to trial-and-error if you perhaps meant it with a dot.

Example: you type www.foo.com in your browser. Your resolver is configured to append bar.org. to relative URLs. Then you'll generate a completely useless request for www.foo.com.bar.org. just to find out it doesn't exist, and then guess the domain www.foo.com. is meant. That depends on your search order and cleverness of your resolver of course, you might as well be lucky and it works out.

Re:Why any different than Linux or MacOS X?

Linux and MacOS tend to be a lot saner about caching behavior, and are often properly configured with a local caching DNS server in more sane setups than the millions of Vista machines expected to be built when Vista is finally released. And as corporate environments switch hundreds or thousands of updated or new machines to Vista, the load on upstream DNS servers, especially the root servers, can be expected to climb quite drastically at some very odd times.

The DNS for Microsoft itself is one of the most vulnerable possibilities: if that goes down for an hour or so, as all the Internet Explorer servers and mis-programmed default Internet Explorer search settings hit microsoft.com for their default web page, those servers are going to take very large loads. And spreading out the load for such hits on the root servers for .com is not a small task: they may have to get services from Akamai to survive the hits.

I'm sure that Microsoft also *hates* having to use Akamai servers for anything, due to Akamai's understandable reliance on Linux for core services.

Insignificant

Well...It should be set to use either ipv4 OR ipv6 correct? Or is it set to use both depending on what network it is interacting with? The amount of traffic will increase but it shouldn't increase to the point of dns servers crashing constantly. The fact that ipv6 is implemented at all is great, because it's time to move forward, but I can't see this putting an excessive load on dns servers.

Re:Insignificant

It probes for ipv6 first, then falls back to ipv4. This is the default setting for many unix systems as well. You usually find your system running slowly, then find a setting for this and turn it off to eliminate the timeout delay.

As for how big a spike it can cause, see this [caida.org] for the effect of Windows' active directory update scheme on the root servers.

This is ridiculous

For a guy who "invented DNS," he sure doesn't seem to have much of a grasp of how the current DNS infrastructure works.

First off, most DNS servers are very lightly loaded. DNS in general doesn't take a whole lot of traffic (relative to other protocols), and most DNS servers are way overpowered for what they need to do.

Secondly, as the article states, Vista is not going to just blindly do two queries, one IPv4 and the other IPv6, for every request. It is a little more intelligent than that (shocking, I know). For systems that don't have an IPv6 address (which will be virtually all of them given the current adoption rate of IPv6), no IPv6 DNS queries will be done at all.

Linux and other Unix-like OSes have supported IPv6 for years, and they haven't managed to kill DNS yet. Most Vista installations, like most Linux installations these days, are going to have IPv6 disabled anyway, so this is not going to have any real impact at all.

Re:This is ridiculous

He works for a company that sells DNS solutions, so obviously he's just trying to scare up some more business.
Regards,
Steve

Re:This is ridiculous

I think you are exactly right. Note how the original article points to an article where Mockapetris claims that DNS servers are going to slow down broadband because they're operating near capacity. Oh, and happily, Nominum (the company he chairs) will provide new, bigger, faster, more scalable DNS solutions for a nominal fee. I wonder if Nominum has had better than nominal business lately. Maybe we can nominate somebody to check into it?

FUD

Only unless the majority of the computing world switches over to Vista in a major hurry - I doubt that even in 2 years the majority of the Windows based pc's will have migrated....

Of course it won't cause an overload

When Vista comes out, it will be introduced gradually compared to the millions of installed Win98/NT/XP systems.

It will take years until/if it reaches considerable marketshare. ISPs have plenty of time to upgrade in the meantime.

Useless to blame this on Vista

This has to do with the necessary gradual migration from IPV4 to IPV6, and has nothing to do with Vista. Besides, only routers that support IPv6 will even route the DNS requests to DNS servers. If we want to switch to IPV6, every OS out there is going to have support both in tandem like this. You can't bitch about the slow adoption of IPV6, and then turn around and bitch again when there are insignificant consequences related to the transition.

Moo

I'm sure Microsoft will have a tool in the Network Setting applet, to upgrade DNS servers to be Vista compatable. If MS has a hand in the DNS servers, it will greatly improve interoperability.

Ahh...

... so that's what FUD stands for! ;)

Complicated mumbo jumbo

That's just a bunch of meaningless technical jargain. They seem to forget that DNS overhead was down by 34% since last year and it's projected to drop by another 20% midway through 2007. So any 'slow downs' as they call them would be soaked up by the rent left from the overhead surplus. yingers

Huh?

Why would Vista overload the DNS system? slashdot.org is already in my local DNS cache anyway...

Brownouts. Right. Egads.

Double the DNS queries are going to do: nothing.

IPV6 is among the most insipid and stupid inventions of all time, allocating a specific address for each atom in the universe (ok, not quite, but close) and does make things ugly. But even with its too-many-octet queries, it's not going to do much damage. Most queries are for LOCAL NETWORK information only. The rest get cached before a demarc point or a tie point.

So, this is much ado about nothing. And Vista isn't a culprit in any event (although I wish I could say it was)-- instead, it's the TWITS THAT BELIEVE THAT IPV6 is a savior.

Ok, I'm better now.

Re:At the risk of further insult....

Ok, then you're way too attached to the old times. Nobody I know gives a damn about a couple percent extra overhead in network traffic (especially when the available bandwidth keeps growing, and my ISP upgrades it for free once in a while), however, everybody loves the idea of getting rid of NAT, having a /48 for themselves, automatic address configuration, and lots of other nice things that come with IPv6. Probably also lower ping times, due to improved routing. I wish they also upgraded the port numbers to 32 bits, but ah well.

IPv6 means your TCP packets will get 20 bytes larger. That means that your downloads will take about 1.5% longer. Oh the horror!

Quite right...

Microsoft needs to understand that the Internets are not something you just dump something on. They're not luck big trucks.

They're like series of tubes. And if they don't understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material.

Mistake in assumption.

Fact not everyone is going to upgrade to Vista overnight. Heck there are still people with 3.1 out there. Or 95 on Brand New Computers. Even if it does put a load on the DNS Server it would rise gradually over time, As people get Vista one at a time. By the time it would be considered a problem the DNS Server will probably just need an upgrade, and it will probably happen when the DNS upgrade is due. Vista is due after the Back To School and Holoday season so all the people who would rush to get the new OS will not as much as they are well trenched in their daily lives. Most mature and "smart" companies will handle the migration slowly to make sure there are no major problems with Vista and many will wait for SR2. Most users will continue using whatever OS they have on their computer until they buy a new one. So this sudden jump in traffice will not happen.

Remove the need for NAT?

From TFA:

As current IPv4 addresses are becoming scarce, IPv6 will provide easier connectivity across the Internet and remove the need for IPv4-addressing schemes such as network address translation, which can require additional management burdens and cause application incompatibilities.

While IPv6 will certainly give us all the IP addresses we'll ever need (until every nanomachine gets one), do we really want to do away with NAT? I've always considering NAT to be a blessing regardless of the scarcity of IP addresses. Not giving every user a public IP is a good idea, and as long as protocols don't try to do something silly like putting the IP address in the Application layer (seriously H323... why?) then NAT should always function as intended. Of course, IPv6 address are 4 times larger (bitwise) so I can see some increase in overhead, but not much.

Re:Remove the need for NAT?

NAT. Has. Nothing. To. Do. With. Security. Period.

With plain NAT and no filter, someone on your outer segment (malicious ISP, hacked ISP, other customers of some cable ISPs, ...) can simply set a route to your LAN via your external gateway. The only thing that helps security is a packet filter - which will work just fine with or without NAT.

Get rid of NAT now, the sooner the better.

Re:Remove the need for NAT?

If you call it "accidental" yourself, it's not security in the first place. That's like "hiding" a flawed service on a non-standard port and calling it secure.

huh?

Now, I'm all for M$ bashing, and I realize that they've made some dumb mistakes in the past, but I mean, seriously... Vista isn't the first OS to support both IPv4 and IPv6... OSX does. Linux does.

I can't imagine microsoft making such a horrible design mistake such as this. Shouldn't it be as easy as checking which protocol is being used before sending a request?

talk about FUD.

Stupid

So, many Internet providers have handled 1000% growths over the last few years, but they can't handle a doubling of DNS load over the time it will take everyone to upgrade to Vista?

Yeah right.

The knee in the curve, mentioned by Paul

When working with response time instead of %CPU, the curve is quite different from what one normally sees.

It starts off level, at some number of milliseconds (mostly the round-trip time) and stays that way until the load hits 100%, then increases rapidly and without bound.

For example, if a lookup takes 1/10 second, it will continue to take 1/10 second until there are 10 requests per cpu per second.

After that a queue builds up, and the requests are delayed. Brutally. At a mere 100 requests/second, the delay is 10 seconds, instead of one tenth.

Now imagine that at the huge loads the DNS servers typically handle.

When someone says "they've hit the knee of the curve", he really means "they're about to fall in the toilet" (;-))

--dave

Overload

Toaster: "Well lets just hope you don't get an overload..."
Holly: "What if I do get an overload..."
Toaster: "You'll explode!"

Vista doesn't do harm....

Vista doesn't overload DNS servers....people overload DNS servers.

A few more comments...

It's also worth pointing out that while Vista might come out on a single day it won't be rolled out in a single day -- it'll take months to years to rollout.

So even if there is an increase in DNS load because of the AAAA before A DNS requests it won't cause rolling blackouts or major network failures.

FWIW, we see about 20% of our requests as AAAA requests. I don't have the number of those that are retried as A requests but I'd guess it's pretty high since we aren't (yet) listening on IPv6 interfaces. We do support AAAA dns requests, of course.

-david

I have a solution

Take the average and use IPv5. :-) IPv5 don't get no love.

Mac users sigh.

Although Vista will more likely be widespread, I hope everybody realises that IPv6 was implemented in OSX quite some time ago. Or is Vista's implementation different somehow?

complete rubbish

i did wonder why my win2k DNS server went down right after installing Vista RC1?????...... oh wait no it didn't

the FUD to Reality ratio of this story is very high indeed... actually 99% FUD.

Vista will not even make IPv6 DNS requests unless you have an IPv6 address for the machine.

Non-news?

And there was one guy who said the introduction of Windows XP and its raw sockets API would allow programs to "generate the most damaging forms of Internet attacks." [grc.com] And we all know that the Internet fell apart because of that, right?

FUD.

How IPv6 DNS works.

Nobody seems to understand how IPv6 DNS works.

First off, when your box asks for any address from your dns server, the dns server hits the public internet root name servers and gets the Start of Authority (SOA). This tells your dns server (or you if you wanna set up one locally) where to get DNS information for that domain. None of that changes with IPv6.... NOTHING. It can still make all of those requests over IPv4 and it doesnt' matter and it will never duplicate the requests.

Now that your dns server knows where to get the zone file for that address it goes and gets it from the SOA. If both IPv6 and IPv4 are supported then you'll have a main A record and main AAAA record (quad A) in that zone. Which ever one comes first should be the one that is honored, this is so that the people who own the domain can specify if they prefer you to use IPv6 or IPv4 (Note: WindowsXP has a bug in which it ALWAYS uses the IPv4 address if one exists).

So the increase in traffic is only between you and your dns server if the dns server is configured to get the entire zone file and not just query for a single entry (this is the proper way to configure a dns server that intends on supporting IPv6 because if you don't get the entire zone file then you don't know which protocol to prefer, it's also just a good idea and you should be getting the zone's TTL and honoring at well -- I'm anal about this by the way). If your dns server is configured to query for each entry then the traffic is only between that dns server and the start of authority. So this will not increase the load on the world wide traffic to root name server AT ALL.

Oh noes...

So lets see if I'm understanding this right. Dude who sells DNS server software, is saying that an extra DNS query now and then is going to cause 'massive slowdowns'.

Maybe in user interaction. Perhaps, once IPv6 is used now and then, that second dns query will cause an extra 100 ms delay on top of the first 100 ms delay for the first dns query.. causing a human-noticeable slowdown after clicking a link.

This is a slowdown due to round trip times, not because of bandwidth or processing limits. More sequential round trips = more latency. Nothing new. And the second time you visit a given site? It's cached, no round trip at all. So yes, people might, maybe, kinda notice a difference.. on the first visit to a given website on a given reboot of their computer.

But I don't think an extra lookup will be a huge inconvenience even given the sorry state of ISP dns servers(Which, in my experience, aren't that bad unless they can't look up an address. Timeouts are are bad, mmkay? The correct response is nxdomain, not 'server did not respond' 'lets try the next!' 'server did not respond'.....

ipv6

Ubuntu has ipV6 too (and it causes headaches for end-users). So what? Is it M$' fault that their OS is popular (more computers probing ipV6 stuff)? Would we see the same news if Ubuntu was the popular thing? I'm probably missing something crucial...

Article is stupid

The author of the article is just finding an excuse to hit against Vista. I'm no where defending Vista, but we DO need to move into IPv6 and the only way to do that is to overcome this hump.

Obligatory

I for one, welcome our new DNS overloads!

Never happy...

Come on, it's about time Windows adopts IPv6. We would criticize Vista if it didn't, and as it does we criticize it for it anyways. I'm as pro-M$ as the next /.er but sometimes part of the geek crowd won't even let M$ a chance.

SlashFUD

This just in: Windows Vista will eat your babies! When questioned about this controversial new "feature," the spokesman from Microsoft cackled nefariously while scheming how to bring and END TO COMPUTING AS WE KNOW IT!

Stay tuned for our coverage of how to completely root Vista RC1 using only a TI-82 graphing calculator, and $500 of everyday electronic components.

Experts Agree: This is BS

This is Dan Kaminsky, from the article.

Here's what I threw on my blog on this matter. Note, the fact that this got presented as even a debate annoyed me enough to start posting on my site again.

--

Paul Mockapetris says Vista is going to take down the Internet's DNS infrastructure. Paul is the inventor of DNS; I met him at Black Hat last year and was half starstruck, half relieved he didn't hate me for the things I'd done to his creation :) Paul knows DNS. It's his creation. But you'll note in this story that Joris Evers can't actually find anyone who agrees with Paul.

There's a reason.

First, while there are indeed a couple underprovisioned name servers, there's far more that have lots and lots of slack capacity. You need slack capacity to deal with shock load. The networks that would fail because of Vista's release, would fail because of a three day weekend.

Second, Vista's not getting deployed all at once. This is no service pack that's deployed to a hundred million desktops via Windows Update! Mockapetris is correct in that there will be a noticable increase in DNS traffic, but that increase will be spread out over the course of a couple years. Slow increases like this tend not to cause the sort of catastrophic failure that Mockapetris refers to.

Finally, and most importantly (in the sense that Mockapetris should know better): Most of the work done to service the IPv6 request, is cached and available to service the IPv4. To complete a DNS lookup, you have to locate a particular server, known as the authoritative server for a domain. The same authoritative server that hosts the IPv6 (AAAA) record also hosts the IPv4 (A) record. So even if Vista sends twice the traffic, the upstream nameserver is certainly not experiencing twice the load.

Full disclosure: Microsoft has had me looking at Vista for much of this year, as part of their "Blue Hat Hacker" external pen-testing squad. But then, Mockapetris has written a really impressive name server for his company, Nominum, that can handle about 4x the load of BIND. But this isn't about who we are; it's about what is or isn't going to collapse. There are things to worry about. This isn't one of them.

As rarely as I can say it...

As rarely as I can say it, MS seems to be doing EXACTLY what should be done. In fact this could be the tipping point that moves us from IPv4 to IPv6. With 95% of the worlds desktops using IPv4 exclusivly, it made no sense worrying about IPv6 in the routers, and it would have been suicide to go to a pure IPv6 implementation. With Vista, most people will, in a few years, upgrade to Vista, switch to Linux or OSX, or be ready to accept being cut off from direct access to the internet. That means that 95% of the worlds desktops with be IPv6 first and formost, and ISPs can confidently move to an IPv6 backbone without fear of cutting off their customers.

Either way, I don't think that NAT is dead. It might change form a bit, but those in control of the numbers are not likely to just start giving them away, just because they have an over abundence of them any more than the Media Barons just give out music just because they have an over abundance of copies of that.

Remeber 2002

Didn't we get this thing tested in 2002. Haven't we learned anything? or has it all been forgotten?

http://www.internetnews.com/dev-news/article.php/1 486981 [internetnews.com]

Even when Vista comes out it won't have instant effect on the over all system, but the load will grow in time and the system will have to be customed for that.

So it SUPPORTS a standard, and that's bad?

IPv6 has been waiting in the wings for how long? Why? More hardware, software, and routers need to support it. Now, MS comes along and supports it. This is reported as bad?

What can they do that won't get negative commentary on /.? I'm not a fan of MS overall, and prefer linux on my servers -- but c'mon people.

Overload the DNS?

Before freaking out. Look at their algorithm.

From TFA:
"""For example, Microsoft designed Vista so PCs will query in the address of the type assigned to the system, the company said.

Computers that don't have an IPv6 address will not do IPv6 queries, the company said.

Also, when a machine does do an IPv6 query, it will do so only to a DNS server that responded to its initial IPv4 query, the company said. "Name errors are not repeated, so the Net traffic will less than double," it said."""

Oh noooo

Not the series of tubes, noooo!

Not the real problem

A friend of mine sent this to me this morning when we were discussing this:

"I manage the operation of about 70% of the world's root DNS servers, and run authoritative TLD servers (mostly secondaries) for about 30% of the world's TLDs (mostly CCtlds). We measure carefully.

IPv6 isn't even 0.01% of the total, and doesn't matter.

The real load on name servers comes not from IPv6 but from Windows machines flooding the world with RFC1918 in-addr requests and with lookup requests in the .LOCAL TLD. The last time I looked, about 40% of the traffic to global name servers was this bogus windows shit. If Vista fixes that, then its release will be a net positive.

We started and sponsor the AS112 Project ( http://public.as112.net/ [as112.net] ) to try to mop up some of the Windows mess. No one believes that we'll need to extend it to IPv6, but we're paying attention."

He is of course right, the nonsense windows does has been a problem for years.

FUD about M$ for a change

It is interesting that this particular FUD is pointed at Microsoft.

Deja vu

This reminds me of Steve Gibson's predictions that the 'Raw Sockets' capability of Windows XP would bring the Internet to a standstill.

Re:Free Rides

Microsoft should pay the existing, independent DNS server operators to subsidize scaling for the traffic their products create. MS is making $BILLIONS off the Internet; they should reinvest more in its infrastructure.

Senator Stevens, is that you?