microsoft

Christopher_Schulte · December 28, 2001, 5:54pm

Can anyone shed light here?

1) Both of the listed Nameservers for windowsupdate.microsoft.com timed out when I sent them non recursive DNS requests.

2) I killed my DNS cache, and asked again for the NS records for windowsupdate.microsoft.com. A new third one was listed, and one of the original servers began to respond.

3) Another reload shows only 2 servers listed again, and they both respond.

Looks to me as if Microsoft is altering global delegation of their windowsupdate service. Maybe diversifying the dns structure as they did with microsoft.com after the attacks a while back? They now have 12 DNS servers scattered around the globe, just to serve microsoft.com dns.

Bandy_Rush1 · December 28, 2001, 6:01pm

Looks to me as if Microsoft is altering global delegation of their
windowsupdate service. Maybe diversifying the dns structure as they did
with microsoft.com after the attacks a while back?

attacks? you mean when they shot themselves in the 2182 foot?

there are some good ways to roll new dns delegations, where integrity is
maintained throughout the process. there are many bad stoopid ways. dig
and doc tell me that this is a case of the latter.

randy

Christopher_Schulte · December 28, 2001, 6:07pm

> Looks to me as if Microsoft is altering global delegation of their
> windowsupdate service. Maybe diversifying the dns structure as they did
> with microsoft.com after the attacks a while back?

attacks? you mean when they shot themselves in the 2182 foot?

I'm not aware of the exact reasons for their problems. I heard of a few DoS attacks which crippled them due to poor network diversification / design / foo.

there are some good ways to roll new dns delegations, where integrity is
maintained throughout the process. there are many bad stoopid ways. dig
and doc tell me that this is a case of the latter.

This is unquestionably the case. Good = nobody notices enough to start `dig`ging around in the first place.

randy

--c

Bandy_Rush1 · December 28, 2001, 6:21pm

attacks? you mean when they shot themselves in the 2182 foot?

I'm not aware of the exact reasons for their problems.

someone misconfigured a router so dns could not serve from behind it.
this is life, stuff happens. but they had ALL the servers for their
domain behind that ONE router, despite massive net lore and a bcp not
to do so. so the entire domain and a number of other pieces were
unreachable for a long time. yucchhy.

the reason i belabor this here is not to abuse this particular foot
shooter, but rather to emphasize yet again, diversify your dns servers
*widely*, physically and topologically. see rfc 2182.

randy

Ian_A_Finlay · December 28, 2001, 6:40pm

Yeah, maybe they're moving they're update service from windowsupdate.microsoft.com to
windowsupdate.com. Maybe they'll "Akamize" windowsupdate.com too...

bash-2.04$ host www.microsoft.com
www.microsoft.com is a nickname for www.microsoft.akadns.net
www.microsoft.akadns.net has address 207.46.230.218
www.microsoft.akadns.net has address 207.46.230.219
www.microsoft.akadns.net has address 207.46.230.220
www.microsoft.akadns.net has address 207.46.197.100
www.microsoft.akadns.net has address 207.46.197.101
www.microsoft.akadns.net has address 207.46.197.113
www.microsoft.akadns.net has address 207.46.197.102

bash-2.04$ host windowsupdate.microsoft.com
windowsupdate.microsoft.com has address 207.46.106.88

bash-2.04$ host windowsupdate.com
windowsupdate.com has address 207.46.106.88
windowsupdate.com has address 207.46.226.17
windowsupdate.com has address 207.68.131.27

-Ian

Chris_Woodfield2 · December 29, 2001, 4:19pm

What you're seeing is MS using Akamai's Edgesuite service. Basically,
www.microsoft.com CNAMES to www.microsoft.akadns.net, which resolves to
the "closest" Akamai server to the source IP on the DNS query. That box
caches the content from the *real* www.microsoft.com, and serves it up.
Nice concept, and a helluva lot easier to implement on the end user side
than FreeFlow, IMHO...

-Chris

Tim_Wilde1 · December 29, 2001, 8:24pm

No, I'm pretty sure that this is a third distinct service, not EdteSuite
or FreeFlow - I know it as nothing but AkaDNS, it probably has a "real"
name - if you traceroute to those servers, you'll see that they're actual
Microsoft servers. Look at that, versus, say, www.segway.com, which is on
EdgeSuite:

www.segway.com. 3600 IN CNAME www.segway.com.edgesuite.net.
www.segway.com.edgesuite.net. 21600 IN CNAME a1758.gc.akamai.net.
a1758.gc.akamai.net. 20 IN A 209.185.188.10
a1758.gc.akamai.net. 20 IN A 209.185.188.107

Notice it's on edgesuite.net, not akadns.net.

Tim Wilde