Will Vista Overload the DNS? 221
Jamie Northern writes, "Thanks to new directory software, Windows Vista could put a greater load on Internet DNS servers. But experts disagree over whether we're headed for a prime-time traffic jam or an insignificant slowdown. Paul Mockapetris,inventor of DNS, believes Vista's introduction will cause a surge in DNS traffic because the operating system supports two versions of the Internet Protocol (IPv4 and IPv6). David Ulevitch, chief executive at OpenDNS, a provider of free DNS services, said Vista's use of IPv6 will not disrupt the Internet at large. 'DNS can be improved, but predicting its collapse is just spreading FUD.'"
But without FUD... (Score:4, Funny)
Re: (Score:3, Funny)
Although I must concede your point and would have modded it up if it wasn't already a +5.
Re: (Score:2, Insightful)
Re: (Score:2)
Re:But without FUD... (Score:5, Funny)
If that is the case, I must say that your pointing out the insightfulness of the GP was in itself quite insightful.
Please mod me up.
Re: (Score:3, Insightful)
Plus I disagree. This is the most insightful comment.
one solution comes to mind (Score:5, Insightful)
Re: (Score:2)
Windows IPv6 support (Score:5, Interesting)
Honestly, we're going to run out of new IPv4 addresses to hand out in a few years. We need IPv6, and I think Microsoft would be foolish not to enable it by default in Vista.
Re: (Score:2, Informative)
Re: (Score:3, Informative)
You don't need a "pure IPv6 network".
You can give private IP addresses [faqs.org] (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to users' computers for talking with your recursive DNS servers.
They can use IPv4 to talk to your DNS server, and IPv6 to talk to the Internet (or anyplace else they need a globally unique IP address).
Of course, you'd need to use non-Microsoft software o
Re:Windows IPv6 support (Score:5, Insightful)
BUT, in the short term, (w/c)ouldn't the shortage be helped by redistributing some of the address floating around unused on Class A & B networks?
It's funny, because some of the arguments made by Class A holders against giving back their block, is that they don't want to spend the time & money and/or go through the hassle of renumbering their networks if the arrival of IPv6 is going to moot the issue.
And of course, nobody wants to spend the money to implement IPv6 unless they have to.
Re:Windows IPv6 support (Score:4, Insightful)
The problem comes with ADSL is that you have to have the IPs to be in the game. You need static IPs for everybody (not because you couldn't NAT, but because users expect a REAL IP) which means a
So, even with migration from dialup, usage is going up, and if current trends continue then IP space is going to get rather tight from all the ADSL users.
IPv4 space exhaustion (Score:4, Informative)
http://www.potaroo.net/tools/ipv4/ [potaroo.net]
So, we're looking at just under 6 years.
BTW, Geoff Huston is a guru.
Re: (Score:2)
Re:one solution comes to mind (Score:5, Interesting)
Incidentally, IPv6 support has only just been added to the DOCSIS standards with the release of 3.0. However, even by 2011, barely more than half of the nationwide cablemodem infrastructure will be DOCSIS 3.0-compliant under current estimates, and that doesn't mean that the cablemodems themselves will be compliant, as DOCSIS 3.0 is backwards-compatible. I'd go for it now if I could, but somehow I suspect that Time-Warner isn't going to have things ready next month.
Why any different than Linux or MacOS X? (Score:5, Informative)
If you have a good setup then you will have a lookup cache on your local machine storing both IPv6 and IPv4 addresses for each site. Therefore only one lookup should need to be done.
Re: (Score:2, Insightful)
Because Vista is going to be used by about a couple hundred million more people than Linux/OSX. Even if there is no real threat, it's worth it just to investigate and make sure.
Re: (Score:3, Insightful)
Maybe I should ask the question differently: why would there be any more requests than there are now with Windows? After all a single DNS lookup should easily get the AAAA and A address in one shot, unless I am misunderstanding the protocol.
Re:Why any different than Linux or MacOS X? (Score:5, Informative)
I think you are: you can only request one record type at a time. So you ask either A or AAAA; and given that the rule of thumb is to prefer IPv6 if present, first goes your AAAA and then your A question.
What you _could_ do is ask for the type ANY, which will make the server return everything it happens to know. But then you have no guarantee the info is exhaustive: the server will only give back those records that it already has in its cache; it will not ask the authoritative name server. So then you might miss something.
What generates a lot more DNS traffic than AAAA records is the fact that the world has forgotten that URLs terminate with a trailing dot. If you leave it out, it's a _relative_ URL and the resolver on your machine has to trial-and-error if you perhaps meant it with a dot.
Example: you type www.foo.com in your browser. Your resolver is configured to append bar.org. to relative URLs. Then you'll generate a completely useless request for www.foo.com.bar.org. just to find out it doesn't exist, and then guess the domain www.foo.com. is meant. That depends on your search order and cleverness of your resolver of course, you might as well be lucky and it works out.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
The OP never said it wouldn't take years either, he said "Because Vista is going to be used by about a couple hundred million more people than Linux/OSX."
I don't know if his figure of 100's of millions will ever surface, but definitely 10's of millions is feasable.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
So the issue we were talking about was not about the current amount of ipv6 users, it was how many and how fast people will switch over to Vista.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2)
Nor does anyone believe, for that matter, that many PCs currently running Linux or MacOS will be "upgraded" to Vista.
Re:Why any different than Linux or MacOS X? (Score:5, Informative)
The DNS for Microsoft itself is one of the most vulnerable possibilities: if that goes down for an hour or so, as all the Internet Explorer servers and mis-programmed default Internet Explorer search settings hit microsoft.com for their default web page, those servers are going to take very large loads. And spreading out the load for such hits on the root servers for
I'm sure that Microsoft also *hates* having to use Akamai servers for anything, due to Akamai's understandable reliance on Linux for core services.
Re: (Score:2)
I don't know about Vista, but one of the services that runs by default in XP is the "DNS Client" service. This is actually rather poorly named, as it is in fact a DNS caching service.
So, while I can't speak for Vista, XP definitely ships with a DNS caching service enabled by default in both Home and Pro; I can't imagine that Vista would be any different.
Re: (Score:2)
How many Linux and MacOS X installations are currently active? What is market share of Windows? How many Windows Vista installations will there be 1, 2, 5 years from release? If having both stacks could cause a problem, doing that in Windows could have a much greater impact, right?
Re: (Score:2)
I can think of several hundred million reasons (hmm, for some reason this number is right up there with MS's userbase...).
This is ridiculous (Score:5, Informative)
First off, most DNS servers are very lightly loaded. DNS in general doesn't take a whole lot of traffic (relative to other protocols), and most DNS servers are way overpowered for what they need to do.
Secondly, as the article states, Vista is not going to just blindly do two queries, one IPv4 and the other IPv6, for every request. It is a little more intelligent than that (shocking, I know). For systems that don't have an IPv6 address (which will be virtually all of them given the current adoption rate of IPv6), no IPv6 DNS queries will be done at all.
Linux and other Unix-like OSes have supported IPv6 for years, and they haven't managed to kill DNS yet. Most Vista installations, like most Linux installations these days, are going to have IPv6 disabled anyway, so this is not going to have any real impact at all.
Re:This is ridiculous (Score:5, Informative)
Regards,
Steve
Re:This is ridiculous (Score:4, Interesting)
Re: (Score:2, Informative)
Thus just as Linux currently has an IPv6 interface enabled by default - even if it is not connected to any other machines over IPv6 it will still do AAAA lookups just as Linux does.
The host that it might be looking for may be itself on the IPv6 loopback interface.
Re: (Score:2)
Re: (Score:2, Interesting)
Of course it won't cause an overload (Score:5, Insightful)
It will take years until/if it reaches considerable marketshare. ISPs have plenty of time to upgrade in the meantime.
Useless to blame this on Vista (Score:5, Insightful)
Re: (Score:2)
Exactly, and:
- people behind corporate routers usually use an internal DNS server
- people with home routers, using NAT, can't actually get to a DNS server unless they are using IPv4. The only effective transition technology that supports NAT is Teredo ( implementation here: http://www.simphalempin.com/dev/miredo/ [simphalempin.com] )
- if home users aren't using NAT or are using a router that does support IPv6 (few t
Re: (Score:3, Informative)
Moo (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
Ahh... (Score:2, Funny)
Re: (Score:2)
Complicated mumbo jumbo (Score:2, Informative)
Re: (Score:2)
Re: (Score:2, Interesting)
Huh? (Score:4, Funny)
Re: (Score:2)
Quite right... (Score:3, Funny)
They're like series of tubes. And if they don't understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material.
Re: (Score:2, Informative)
Mistake in assumption. (Score:2)
huh? (Score:2)
I can't imagine microsoft making such a horrible design mistake such as this. Shouldn't it be as easy as checking which protocol is being used before sending a request?
talk about FUD.
Re: (Score:2)
in short, no. unless your system supports ipv6 but has no ipv6 address allocated (like most of the vista installs i'd say)
dns is what will tell you what you should speak to the remote system. but as others pointed out, this FUD is just that, FUD. dns requests are small enough to not impact the servers much
Re: (Score:2)
Stupid (Score:3, Insightful)
Yeah right.
The knee in the curve, mentioned by Paul (Score:5, Informative)
When working with response time instead of %CPU, the curve is quite different from what one normally sees.
It starts off level, at some number of milliseconds (mostly the round-trip time) and stays that way until the load hits 100%, then increases rapidly and without bound.
For example, if a lookup takes 1/10 second, it will continue to take 1/10 second until there are 10 requests per cpu per second.
After that a queue builds up, and the requests are delayed. Brutally. At a mere 100 requests/second, the delay is 10 seconds, instead of one tenth.
Now imagine that at the huge loads the DNS servers typically handle.
When someone says "they've hit the knee of the curve", he really means "they're about to fall in the toilet" (;-))
--dave
Overload (Score:4, Funny)
Holly: "What if I do get an overload..."
Toaster: "You'll explode!"
A few more comments... (Score:4, Insightful)
So even if there is an increase in DNS load because of the AAAA before A DNS requests it won't cause rolling blackouts or major network failures.
FWIW, we see about 20% of our requests as AAAA requests. I don't have the number of those that are retried as A requests but I'd guess it's pretty high since we aren't (yet) listening on IPv6 interfaces. We do support AAAA dns requests, of course.
-david
I have a solution (Score:2)
Non-news? (Score:3, Interesting)
FUD.
How IPv6 DNS works. (Score:2, Informative)
First off, when your box asks for any address from your dns server, the dns server hits the public internet root name servers and gets the Start of Authority (SOA). This tells your dns server (or you if you wanna set up one locally) where to get DNS information for that domain. None of that changes with IPv6.... NOTHING. It can still make all of those requests over IPv4 and it doesnt' matter and it will never duplicate the requests.
Now that your dns server knows
Re: (Score:3, Informative)
That's just plain wrong. Getting the whole zone file is done via AXFR requests and should only be allowed for slaves of the server. No client will ever do an AXFR to query a record.
The preference of IPv6 vs. IPv4 is done by the client only.
Re: (Score:3, Informative)
And here I was so happy that they included the auto-config fec0:0:0:ffff::1 - 3 DNS server addresses, but XP won't send a request either to them or to a manually configured V6 server.
-David
IPv6 + XP = Broken (Score:2)
-David
Oh noes... (Score:3, Insightful)
Maybe in user interaction. Perhaps, once IPv6 is used now and then, that second dns query will cause an extra 100 ms delay on top of the first 100 ms delay for the first dns query.. causing a human-noticeable slowdown after clicking a link.
This is a slowdown due to round trip times, not because of bandwidth or processing limits. More sequential round trips = more latency. Nothing new. And the second time you visit a given site? It's cached, no round trip at all. So yes, people might, maybe, kinda notice a difference.. on the first visit to a given website on a given reboot of their computer.
But I don't think an extra lookup will be a huge inconvenience even given the sorry state of ISP dns servers(Which, in my experience, aren't that bad unless they can't look up an address. Timeouts are are bad, mmkay? The correct response is nxdomain, not 'server did not respond' 'lets try the next!' 'server did not respond'.....
Never happy... (Score:3, Interesting)
Experts Agree: This is BS (Score:5, Informative)
Here's what I threw on my blog on this matter. Note, the fact that this got presented as even a debate annoyed me enough to start posting on my site again.
--
Paul Mockapetris says Vista is going to take down the Internet's DNS infrastructure. Paul is the inventor of DNS; I met him at Black Hat last year and was half starstruck, half relieved he didn't hate me for the things I'd done to his creation
There's a reason.
First, while there are indeed a couple underprovisioned name servers, there's far more that have lots and lots of slack capacity. You need slack capacity to deal with shock load. The networks that would fail because of Vista's release, would fail because of a three day weekend.
Second, Vista's not getting deployed all at once. This is no service pack that's deployed to a hundred million desktops via Windows Update! Mockapetris is correct in that there will be a noticable increase in DNS traffic, but that increase will be spread out over the course of a couple years. Slow increases like this tend not to cause the sort of catastrophic failure that Mockapetris refers to.
Finally, and most importantly (in the sense that Mockapetris should know better): Most of the work done to service the IPv6 request, is cached and available to service the IPv4. To complete a DNS lookup, you have to locate a particular server, known as the authoritative server for a domain. The same authoritative server that hosts the IPv6 (AAAA) record also hosts the IPv4 (A) record. So even if Vista sends twice the traffic, the upstream nameserver is certainly not experiencing twice the load.
Full disclosure: Microsoft has had me looking at Vista for much of this year, as part of their "Blue Hat Hacker" external pen-testing squad. But then, Mockapetris has written a really impressive name server for his company, Nominum, that can handle about 4x the load of BIND. But this isn't about who we are; it's about what is or isn't going to collapse. There are things to worry about. This isn't one of them.
As rarely as I can say it... (Score:5, Interesting)
Either way, I don't think that NAT is dead. It might change form a bit, but those in control of the numbers are not likely to just start giving them away, just because they have an over abundence of them any more than the Media Barons just give out music just because they have an over abundance of copies of that.
Remeber 2002 (Score:2, Insightful)
Didn't we get this thing tested in 2002. Haven't we learned anything? or has it all been forgotten?
http://www.internetnews.com/dev-news/article.php/1 486981 [internetnews.com]
Even when Vista comes out it won't have instant effect on the over all system, but the load will grow in time and the system will have to be customed for that.
Not the real problem (Score:4, Informative)
"I manage the operation of about 70% of the world's root DNS servers, and run authoritative TLD servers (mostly secondaries) for about 30% of the world's TLDs (mostly CCtlds). We measure carefully.
IPv6 isn't even 0.01% of the total, and doesn't matter.
The real load on name servers comes not from IPv6 but from Windows machines flooding the world with RFC1918 in-addr requests and with lookup requests in the
We started and sponsor the AS112 Project ( http://public.as112.net/ [as112.net] ) to try to mop up some of the Windows mess. No one believes that we'll need to extend it to IPv6, but we're paying attention."
He is of course right, the nonsense windows does has been a problem for years.
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:2)
Neither do I!
True enough so far...
Re: (Score:2)
Re: (Score:2)
We have to get rid of NAT as soon as possible. In some countries users are already behind as many as five levels of NAT [lwn.net]!
Re:Remove the need for NAT? (Score:4, Insightful)
With plain NAT and no filter, someone on your outer segment (malicious ISP, hacked ISP, other customers of some cable ISPs,
Get rid of NAT now, the sooner the better.
NAT no security? (Score:3, Insightful)
Bullshit.
NAT does help against a certain sort of attack. Maybe only against this sort of attack. Fortunately, against the propably most common sort of attack you can't do anything about. (You can to something about infected websites: use a different browser).
Security is not
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
What the is it that you expect the average NAT user to be doing that matters with the "end to end paradigm of the internet"?
I am a geeky person, and know what? My NAT-ing Linksys router has never failed to meet my needs for my home internet/home network. In fact, it has a bunch of stuff that I am never likely to use. Ever.
Why are you putting any value on "end to end" when one of those legs is nothing but a threat to the average user (unsolicited inbound).
If it is NOT a threat and you want the i
Re: (Score:2)
N
Re:Remove the need for NAT? (Score:4, Insightful)
Re:Insignificant (Score:5, Informative)
As for how big a spike it can cause, see this [caida.org] for the effect of Windows' active directory update scheme on the root servers.
Re: (Score:2)
Likely set to both (Score:2)
Re: (Score:2)
If it were your choice you probably would just say. "Just add another digit, that will take care of the problem" (for a couple of years)
Re: (Score:2)
IPv6 makes routing much easier because most of those addresses won't be allocated to anything. They serve to keep the address space non-fragmented, so routers will have much smaller routing tables. Also, routing IPv6 is much easier because of a reduced set of options and a streamlined packet format, reducing the processing required by routers.
If anything, IPv6 makes things nicer and cleaner. If you wanna know about ugly, look at NAT and CIDR and the hack it brought to reve
There is no fear. Really. IPV6 is still insane. (Score:2)
"IPv6 makes routing much easier because most of those addresses won't be allocated to anything"
How droll. Do you realize what you've said in justification? Have you done router tables, ever?
Then, you say:
"They serve to keep the address space non-fragmented, so routers will have much smaller routing tables"
Sure. A lot smaller. The number of devices needing unique addresses will shrink and that's why IPV4 is "....about ugly, look at NAT and CIDR and the hack.." In fact, using NAT and CIDR b
Re: (Score:2)
If you had and had understood what I wrote, you wouldn't be asking.
There is no ARP with IPv6.
Why don't you go inform yourself before you go on crusades against things you don't understand?
Re: (Score:2)
Really. DO THE MATH. IPV6 IS INSANE!!!!
Re:At the risk of further insult.... (Score:4, Insightful)
IPv6 means your TCP packets will get 20 bytes larger. That means that your downloads will take about 1.5% longer. Oh the horror!
Re: (Score:2)
Personally I think it's a non-issue, but that's the only reason I can see for a difference.
*you heard me, Mactel.
Re: (Score:2)