YouTube Diversifies DNS; Google Next?
by Danny McPhersonJust a week after several DNS quirks cost YouTube some downtime, they appear to have added a great deal of redundancy to their previous setup, which left much to be desired. They’ve now got 7 authoritative servers listed, addressed from 3 discrete netblocks (64.15.112.0/20, 208.117.224.0/19 and 208.65.152.0/22, the latter was the original), the zone files are all in synch and the root has been updated.
danny@pork% dig youtube.com soa
; <<>> DiG 9.4.1-P1 <<>> youtube.com soa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57844
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 7;; QUESTION SECTION:
;youtube.com. IN SOA;; ANSWER SECTION:
youtube.com. 2984 IN SOA sjl-ins1.sjl.youtube.com. dns-admin.youtube.com. 2008050504 10800 3600 604800 86400;; AUTHORITY SECTION:
youtube.com. 2984 IN NS ash-ns1.ash.youtube.com.
youtube.com. 2984 IN NS dns3.sjl.youtube.com.
youtube.com. 2984 IN NS mia-ns1.mia.youtube.com.
youtube.com. 2984 IN NS nyc-ns1.nyc.youtube.com.
youtube.com. 2984 IN NS dns2.sjl.youtube.com.
youtube.com. 2984 IN NS dns1.sjl.youtube.com.
youtube.com. 2984 IN NS dal-ns1.dal.youtube.com.;; ADDITIONAL SECTION:
dns1.sjl.youtube.com. 170881 IN A 208.65.152.201
dns2.sjl.youtube.com. 170881 IN A 208.65.152.137
mia-ns1.mia.youtube.com. 170884 IN A 64.15.115.114
dal-ns1.dal.youtube.com. 170883 IN A 208.117.225.50
dns3.sjl.youtube.com. 170882 IN A 64.15.123.241
ash-ns1.ash.youtube.com. 170883 IN A 64.15.126.183
nyc-ns1.nyc.youtube.com. 170885 IN A 64.15.114.114;; Query time: 89 msec
;; SERVER: 10.1.0.11#53(10.1.0.11)
;; WHEN: Thu May 15 15:53:03 2008
;; MSG SIZE rcvd: 36
Good for them.. Now, Google should follow suit, especially considering all of their authoritative name servers are from a single netblock, 216.239.32.0/19. Oddly, they do announce more-specific /24s for two of the name server addresses:
danny@pork% dig google.com soa
; <<>> DiG 9.4.1-P1 <<>> google.com soa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40406
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4;; QUESTION SECTION:
;google.com. IN SOA;; ANSWER SECTION:
google.com. 85795 IN SOA ns1.google.com. dns-admin.google.com. 2008051301 7200 1800 1209600 300;; AUTHORITY SECTION:
google.com. 31367 IN NS ns1.google.com.
google.com. 31367 IN NS ns2.google.com.
google.com. 31367 IN NS ns3.google.com.
google.com. 31367 IN NS ns4.google.com.;; ADDITIONAL SECTION:
ns2.google.com. 82140 IN A 216.239.34.10
ns3.google.com. 82141 IN A 216.239.36.10
ns4.google.com. 82141 IN A 216.239.38.10
ns1.google.com. 82142 IN A 216.239.32.10;; Query time: 93 msec
;; SERVER: 10.1.0.11#53(10.1.0.11)
;; WHEN: Thu May 15 16:04:19 2008
;; MSG SIZE rcvd: 210——————-
route-views.oregon-ix.net>sh ip bgp 216.239.32.0/19 longer-prefixes | include 216.239
* 216.239.32.0/19 196.7.106.245 0 0 2905 702 3356 15169 i
* 216.239.33.0 196.7.106.245 0 0 2905 702 3356 15169 36385 i
* 216.239.34.0 196.7.106.245 0 0 2905 702 3356 15169 i
* 216.239.38.0 196.7.106.245 0 0 2905 702 1239 15169 i
* 216.239.44.0/23 196.7.106.245 0 0 2905 702 1239 15169 36384 i
* 216.239.50.0/23 196.7.106.245 0 0 2905 702 1239 15169 i
* 216.239.58.0/23 196.7.106.245 0 0 2905 702 3356 15169 i
* 216.239.60.0/23 196.7.106.245 0 0 2905 702 1239 15169 i
It’s a shame you’ve got to inject 7 more-specifics prefixes into the Internet routing system from an aggregate /19 for some presumed added level of security, but I do understand why, err.. I guess.. Anyway, the folks at Google might want to consider a little more diversity in authoritative DNS servers, then they could clean up some of that Internet routing system pollution.
As for the routing pollution bit, considering what they’ve got on the line, and the [lack of] options available on the routing system security front, I understand. I don’t like it.. But I understand.
