From Microsoft's site

Jeremy_Randall · January 25, 2001, 4:20am

http://www.microsoft.com/info/siteaccess.htm

"Microsoft Explains Site Access Issues

On Tuesday evening and Wednesday, many Microsoft customers had
difficulty accessing the company's Web sites. The cause has been
determined, and the issue is resolved.

At 6:30 p.m. Tuesday (PST), a Microsoft technician made a configuration
change to the routers on the edge of Microsoft's Domain Name Server
network. The DNS servers are used to connect domain names with numeric
IP addresses (e.g. 207.46.230.219) of the various servers and networks
that make up Microsoft's Web presence.

The mistaken configuration change limited communication between DNS
servers on the Internet and Microsoft's DNS servers. This limited
communication caused many of Microsoft's sites to be unreachable
(although they were actually still operational) to a large number of
customers throughout last night and today.

This was an operational error, and not the result of any issue with
Microsoft or third-party products nor the security of our networks.
Microsoft regrets any inconvenience caused to customers due to this
issue.

At approximately 5 p.m. Wednesday (PST), Microsoft removed the changes
to the router configuration and immediately saw a massive improvement in
the DNS network.

All sites are currently available to customers. Again, Microsoft
apologizes for the inconvenience."

Alex_Kamantauskas · January 25, 2001, 3:18pm

...and immediately saw a massive improvement in the DNS network.

Which would not have suffered such an impact had it been designed
correctly, with geographical and topological disparity.

I guess to Microsoft, "RFC" is a four-letter word

Rusty_H_Hodge · January 26, 2001, 1:53am

Which would not have suffered such an impact had it been designed
correctly, with geographical and topological disparity.

You sure it isn't designed that way? Just because the IPs are on the same /24 doesn't mean anything these days.

Ian_A_Finlay · January 26, 2001, 2:18am

Other people share your thoughts Rusty. I just ran across the following
on securitygeeks.shmoo.com:

Authored by: gdead on January 25 2001 @ 10:53AM
Just a quick comment on everyone saying that the MS nameservers are on the
same subnet. We have no proof of that, and I would hope to god it's not
true. They ARE from the same netblock from their AS (8070). That is an
unforgivable sin. You should always have at least one nameserver outside
your own AS Just In Case (tm). However, just because the IP's of the
nameservers are adjancent don't mean the machines are. They could be in 2
or 4 different locations around the net (2 of the IP's are adjacent, and
so are the second 2, indicating maybe two sets of two). However, due to
the nature of DNS, you can have multiple nameservers scattered around your
enterprise answer for a single IP. I've deployed this, and I know others
have as well. Basically, your ingress router has a route to a local
nameserver that responds to that IP. If that host dies, then the network
routes take over and push the query to the next closest nameserver gets it
and responds with an answer. So using 4 IP's MS may have 20 nameservers
scattered all over the planet answering for those 4. Doubtful, but
maybe. Ergo, we can't assume these boxes are anywhere near each other. If
someone KNOWS how they're setup, please tell us.

-Ian

Ian Finlay

_Greg_A_Woods · January 26, 2001, 6:14am

[ On Thursday, January 25, 2001 at 17:53:12 (-0800), Rusty H. Hodge wrote: ]

Subject: Re: From Microsoft's site

> Which would not have suffered such an impact had it been designed
> correctly, with geographical and topological disparity.

You sure it isn't designed that way? Just because the IPs are on the
same /24 doesn't mean anything these days.

It seems in the case of M$'s DNS servers they are all in one place (be
it a room, a building, or their campus), and all behind one AS number,
with apparently only one router "entity" sitting in front of the whole
mess (if you believe what they've been saying has any basis in reality)

I haven't looked at how the routing advertisements for that /24 appear
out in the rest of the world, beyond what's registered at whois.ra.net,
but I doubt they've made separate advertisments for each IP# or some
subnets that would separate them, and even if they did I doubt such
advertisments coul even make it past the route filters of their peers.

By "topological disparity" I meant each server should have radically
different IP routing *and* physical connectivity. Even if M$ did have
good geographic dispersion with each of their four DNS servers in the
four corners of the continental USA and connected back to their campus
by some form of private circuits, they've still got effectively one IP
routing path to whatever they might use to provide that non-IP
connectivity back out to those four corners. I.e. there's still a
single point of failure from the perspective of random users on random
Internet sites. If there wasn't a single point of failure then the
recent events would not have occurred.

I just noticed this gem too:

Microsoft (NETBLK-MICROSOFT-GLOBAL-NET)
   One Microsoft Way
   Redmond, WA 98103
   US

Netname: MICROSOFT-GLOBAL-NET
Netblock: 207.46.0.0 - 207.46.255.255

   Coordinator:
      Microsoft (ZM39-ARIN) noc@microsoft.com
      425-936-4200

Domain System inverse mapping provided by:

DNS4.CP.MSFT.NET 207.46.138.11
DNS4.CP.MSFT.NET 207.46.138.11

So, how is it that ARIN let them get away with two entries for the same
damn server?!?!?!?!?