Home page logo
/

nanog logo nanog mailing list archives

Re: Reliable Cloud host ?
From: William Herrin <bill () herrin us>
Date: Mon, 27 Feb 2012 14:02:04 -0500

On Mon, Feb 27, 2012 at 12:09 PM, Jared Mauch <jared () puck nether net> wrote:
On Feb 27, 2012, at 10:28 AM, William Herrin wrote:
How DNS is designed to work and how it actually works is not the same.
Look up "DNS Pinning" for example. For most kinds of DR you need IP
level failover where the IP address is rerouted to the available site.

I'm never claimed your response would be perfect, but it will certainly work
well enough to avoid major problems.

No, actually, it won't. In practice, most end user applications
disregard the DNS TTL.

In some cases this is because of carelessness: The application does a
gethostbyname once when it starts, grabs the first IP address in the
list and retains it indefinitely. The gethostbyname function doesn't
even pass the TTL to the application. Ntpd is/used to be one of the
notable offenders, continuing to poll the dead address for years after
the server moved.

In other cases disregarding the TTL was a deliberate design decision.
Web browser DNS Pinning is an example of this. All modern web browsers
implement a form of DNS Pinning where they refuse to try an alternate
IP address for a web server on subsequent TCP connections after making
the first successful contact. This plugs a javascript security leak
where a client side application could be made to scan the interior of
its user's firewall by switching the DNS back and forth between local
and remote addresses. In some cases this stuck-address behavior can
persist until the browser is completely closed and reopened, possibly
when the PC is rebooted weeks later.

The net result is that when you switch the IP address of your server,
a percentage of your users (declining over time) will be unable to
access it for hours, days, weeks or even years regardless of the DNS
TTL setting.

This isn't theoretical, by the way. I had to renumber a major web site
once. 1 hour TTL at the beginning of the process. Three month overlap
in which both addresses were online and the DNS pointed to the new
one. At the end of the three months a fraction of a percent of the
*real user traffic* was _still_ coming in the obsolete address. Using
the correct name in the Host: header, so the user wasn't deliberately
picking the IP address.

If you want DR that *works*, reroute the IP address.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin () dirtside comĀ  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault