Widespread DNSing issues?

EdFred

EdFred

Taxi to Parking
Joined
Feb 25, 2005
Messages
30,651
Location
Michigan
Display Name
Display name:
White Chocolate
Some websites pop up right away. Some don't. Seems like once a route to a initially "missing" server is found it finds it quickly the next time.

Took foooooorrrreeeeverrrrrr to get on here this morning. Then the next 20 times I connect here, boom, instant.
 
It's a bit complicated but has to do with your closest ISP, or the route you get the majority of your web traffic from. A frequently used domain name will be cached in the DNS lookup of the server which routes traffic to you. If the route cache(s) have been flushed, the first lookup will need to go a few more hops until it gets a match, then that DNS will be delivered to the server at your ISP, and be cached for a while.

If no one goes there for x amount of time, it will be flushed, or the ISP may be doing some kind of maint, or altering the route tables, or a dozen other things that can cause lookups to get redirected.

<edit: DNS entries for major web pages are always cached like Yahoo, Foxnews, cnn, etc which is why they get loaded quickly. If you want to test your ISP, enter a URL with a foreign location, something obscure and see how fast it comes up. This is a good test for the size of the cache available on your ISP server(s).>
 
Last edited:
Actually it was a few of the major ones that were slow, too. Which is why I asked the question. A year or two ago Network Solutions (I think) had some DNS issues, so any website that was handled by them was slow/missing.
 
That can happen too. A hosting site for a group of domains can have trouble distributing them. I'm guessing in this case it was a local flush(no one else here complained), and the route table was being rebuilt slowly. Once a route is established, even in a tiered routing scheme which is common you won't take too long to load.

I could tell stories,,, they would curl your hair. Most of the issues nowadays arise from unskilled foreign hosts putting mistakes out on the wire, and crapping up someone else's work. However, it's happened right here in the US by several large three letter companies which will remain nameless, but used to be known as 'ma bell'.
 
Might be the case. I will attempt to get to a site, get a can't find server error, reload it it and it goes through slowly. Then it's quick after that.
 
Try the Google's public resolvers (8.8.8.8 and 8.8.4.4), see if that helps any. If issues are cured, your ISP's forwarding nameserver is having trouble. If not cured, it's something else.

Note that DNS is constantly under heavy attacks with vandals and various interests, including governments, trying to disrupt root servers. As attacks and defences vary in sophistications, the issues come and go.
 
try OpenDNS for all of your browsers - even the mobile ones. . . .
 
OpenDNS is a security suite, has little utility for performance, except where phishing would slow the access to a locally cached set of DNS entries. It has no effect on the DNS entries in the ISP/server/router.

Although OpenDNS can have good value for people who sometimes visit the seamier side of the internet, if you stay in safe neighborhoods like POA, Foxnews, most car forums, firearms forums it will only slow you down as one more layer of resolution to go through.
 
While we often use it for filtering, OpenDNS has always advertised speed... from their website:
Speed up your Internet experience
OpenDNS’s 19 global data centers are strategically located at the most well-connected intersections of the Internet. Unlike other providers, OpenDNS’s network uses sophisticated Anycast routing technology, which means no matter where you are in the world, your DNS requests are answered by the datacenter closest to you. Combined with the largest DNS caches in the industry, OpenDNS provides you with DNS responses faster than anyone else.
 
zaitcev said:
Try the Google's public resolvers (8.8.8.8 and 8.8.4.4), see if that helps any. If issues are cured, your ISP's forwarding nameserver is having trouble. If not cured, it's something else.

Note that DNS is constantly under heavy attacks with vandals and various interests, including governments, trying to disrupt root servers. As attacks and defences vary in sophistications, the issues come and go.
Click to expand...

I doubt Ed is going to try Google anything, lol. He loves Google about as much as I do.

Comodo might be more acceptable.

http://www.comodo.com/secure-dns/

-Rich
 
I have my own recursive nameserver on the home router, which does exactly the same that OpenDNS does. See, if I lose basic connectivity, those 19 datacenters ain't doin squat for me. But if I have the connectivity, good ole BIND does the same job. It's the best solution. The problem is just running your own nameserver requires a minimum expertise, like knowing how to set it so it's not providing a trampoline for authentication attacks.
 
Anycast can sometime reduce hop count intradomain where there may be multiple sockets for the same datagram/stream. This is pretty common in an urban and metro environment, so sometimes an anycast RP can offer faster resolution. But - as with all things, with one hand we give, with another we take away. If the router IP of the furthest access point is higher than a closer, or lower hop router, you get to take the long way home...

OpenDNS can market a lot of stuff. I haven't given it a run and not really interested, I just pointed out that the basic plan for OpenDNS was a way around phishing problems, and the regular DNS storms. Sadly, it appears that OpenDNS has spawned a few of their own specific attacks, because the hackers or financial attacks which are the most professional realize that users of the OpenDNS product probably have something worth taking rather than gobs of porn datagrams, and chat room banter(OpenDNS will not tell you that, but from the inside of the net, I assure you it's very true). Frex; the recent debacle with Marriott and of course Target.
 
CT4ME said:
While we often use it for filtering, OpenDNS has always advertised speed... from their website:

Speed up your Internet experience

OpenDNS’s 19 global data centers are strategically located at the most well-connected intersections of the Internet. Unlike other providers, OpenDNS’s network uses sophisticated Anycast routing technology, which means no matter where you are in the world, your DNS requests are answered by the datacenter closest to you. Combined with the largest DNS caches in the industry, OpenDNS provides you with DNS responses faster than anyone else.
Click to expand...


They're full of it on that one... Anycast and other network-centric tech that handles routing to the roots, and then various popular large companies doing the same, makes your "closest" DNS server usually kick their ass in a true speed test resolving random stuff.

19 isn't that many. I ran DNS without fancy routing tools in 18 data centers for an ISP from 1997-2001 or so. We were considered a "Tier 3 peered to 6 Tier 1 backbones" in the North American routing space. Same place wouldn't even get a "Tier" type rating today. (Partly because they'd be dwarfed by the modern data center industry and partly because "Tier" is much more meaningless now with oodles of private peering throughout the Net now.)

OpenDNS is kinda neat for filtering, and kinda "a solution looking for a problem" for just handling generic DNS. The latter is mostly hype.
 
zaitcev said:
I have my own recursive nameserver on the home router, which does exactly the same that OpenDNS does. See, if I lose basic connectivity, those 19 datacenters ain't doin squat for me. But if I have the connectivity, good ole BIND does the same job. It's the best solution. The problem is just running your own nameserver requires a minimum expertise, like knowing how to set it so it's not providing a trampoline for authentication attacks.
Click to expand...


The "caching-nameserver" packages in Linux are fairly sane, security-wise. It's pretty much a no-brainer nowadays, unless you're also hosting and want DNSSec configured correctly, or you're messing with IPv6.
 
You must log in or register to reply here.
Back
Top