DNS fear mongering and Windows Vista

DNS fear mongering and Windows Vista

Summary: Will Windows Vista actually cause a DNS traffic spike or is this just fear mongering? The reality is that any operating system running in a mixed IPv4 and IPv6 environment will have to double the number of requests to the DNS server, but the number of people using IPv6 on their local area network is almost nonexistent.

TOPICS: Networking

Joris Evers has this alarming piece today "Will Vista stall net traffic?" Just to clarify, the story was talking about the potential of Windows Vista to double DNS traffic and possibly overload existing DNS servers.  Paul Mockapetris raised an alarm on a possible DNS meltdown last month but is now sounding off again pointing to Windows Vista as the culprit.  Mockapetris is credited with the invention of DNS and currently works for Nominum which is in the business of selling high-performance DNS appliances.  Evers cited Mockapetris along with other experts and Microsoft who disagreed with Mockapetris' doomsday assessment, but is there really anything to worry about?

I had the honor of meeting Paul Mockapetris in May of last year at Interop 2005 and he enlightened me on some DNS issues.  This was soon after the series of DNS outages at Comcast last year so the possibility of DNS overloading for large Internet Service Providers is real but this latest alarm on Windows Vista is not.  Windows Vista will potentially double the number of DNS requests because it will query for an IPv4 address and an IPv6 address, but this is extremely unlikely because it only applies to Vista computers running in an IPv6 environment and this applies to any other operating system.

The reality is that hardly anyone outside of a few special research environments use IPv6 for their LAN infrastructure and you probably won't find a single fortune 500 company using IPv6 in their corporate LAN environment.  IPv6 isn't even on the radar as far as IT planning is concerned because no one has ever made a compelling business case for the costly conversion.  The likelihood that there will be a massive number of DNS request coming from IPv6 enabled Vista machines or any other IPv6 enabled operating system like Linux or OS X is simply out of the question.  There will be no Vista-induced DNS meltdown.  If IPv6 ever does become a reality, network architects will simply need to beef up their DNS infrastructure to accommodate both IPv4 and IPv6 requests.

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • OpenDNS

    I agree George.

    This is what I like to call 'borrowing trouble'.
    As web infrastructure continues to expand, so too will DNS.

    I personally have found using changing my DNS setting to point to [url=http://www.opendns.com]OpenDNS[/url] has made a big difference in overall web page retrieval times.

    Faster, safer DNS caching technology.

    Technology is good. :)
    D T Schmitz
  • The information is incorrect

    The information in this article is incorrect.

    The DNS queries do always IPv4 and IPv6, so even if your network is not IPv6 enabled, you will get both, the IPv4 (A) and IPv6 (AAAA) info.

    On the other way around, Vista is the LAST operating system to come with IPv6 enabled by default, many others, including Mac OS X and many Unix-like flavours (Linux, BSDs, etc.), already have IPv6 enabled by default for years.

    So clearly the article is based in a lack of information and missinforming people.
    • Vista does not do IPv6 queries when in a IPv4 network

      The information is according to the vendor Microsoft, so unless you're thinking they're lying then the information is right. As for years of IPv6 support, WinXP has had it for years too. I'd suggest you check your own information first.
      • Would you two get a room?

        How about we settle this with proof?

        How you say? Surely one of you has a copy of Vista, run ethereal scan on it and check for DNS requests.

        I don't have my copy of Vista handy otherwise I would tell you both to go to hell and post the results myself.
      • Ironic

        When Apple says they haven't been contacted about a security flaw you say it's Apple that's lying. When someone claims something about Windows you say they're lieing if they happen to contradict Microsoft.

        BTW, could you clarify your definition of a "few days"?
        Robert Crocker
        • Apple didn't say that

          I've talked to Apple and the REFUSE to say they haven't been contacted or informed of vulnerabilities. They'll only say they haven't seen evidence that proves to their satisfaction there is a vulnerability.

          BTW, the Mac bloggers are reporting that Apple insiders are leaking that may be releasing a wireless patch soon. It seems they're complaining over the fact that SecureWorks wouldn't share the source code for the exploit with them. Just the crash dumps and disassembled driver wasn't enough for them and they didn't feel like doing the work themselves.
          • Did you ask nicely?

            After your "transcript" of a conversation you had with one of the banks over their login security I'd be surprised if anyone would give you the time of day.

            What was the EXACT question you asked them, who did you speak with, and what was their EXACT response?

            Compare that to this statement from Apple before:
            [blockquote]?Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is,? Apple Director of Mac PR, Lynn Fox, told Macworld. ?To the contrary, the SecureWorks demonstration used a third party USB 802.11 device?not the 802.11 hardware in the Mac?a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.?[/bockquote]

            Note the "not shared [b]or demonstrated[/b]" portion of that quote so you can't say that they're complaining over a lack of source code.
            Robert Crocker
          • I'm not going down on my knees to beg for it that's for sure

            I spoke with Lynn Fox on the phone and most of what she told me she won't say on the record. But I emailed this series of questions to her and she dodged it.

            "No way no how at no time did Maynor or SecureWorks ever inform Apple in any manner that a possible hack existed for a stock Apple laptop wireless configuration and Apple does not believe such a hack is currently known."

            Answer (didn't answer actual question):
            "SecureWorks has provided Apple with no code or evidence that would show that a MacBook can be exploited with the wireless hardware and software that is shipped with the system."

            "I don't believe that answers my question. Let me state this another way. Did SecureWorks or David Maynor ever attempt to indicate to Apple that an exploitable flaw exists in the stock Apple MacBook wireless laptop regardless of whether Apple believes this qualifies as "evidence" or not?"

            It's been a week since I asked this in email and I left voice mails. Fox refuses to answer.

            Here's a blog dedicated to bashing me primarily.
            "But Apple took a shot across the bow of SecureWorks? professionalism. They botched their delivery and then - according to the Macalope?s Apple sources - provided only vague information to Apple about how the exploit can be executed."

            So it appears he just proved himself wrong all along and my camp has been telling the truth all along. If Apple is now leaking to Mac bloggers that a wireless patch will come out and they're changing the story that Maynor and Ellch are "frauds" to "unprofessional" for refusing to share exploit source code. It sounds like Apple was too lazy or incompetent to do their own work after they were given the crash dumps and disassembled drivers and it's sour grapes.
          • Now YOU'RE splitting hairs


            Either StorageWorks has provided Apple with sufficient information for them to believe that there is a flaw or they haven't.

            Saying "there might be a problem with your card" just doesn't cut it. ESPECIALLY after the hub-bub from the "Hack a Mac in 30 seconds" article.

            I'll again note that Lynn Fox's answer was rather specific in "no code [b]or evidence[/b]" with the or evidence being the important part. StorageWorks could simply arrange a demonstration or some various packet dumps and execution dumps to provide at least evidence without releasing any actual code for the exploit. (Though why they would be coy about releasing code is beyond me.)

            Why not simply ask her if they were provided crash dumps instead of your deliberately vague "ever inform Apple in any manner that a possible hack existed"?

            I'm glad that you feel confident enough in your position to malign an entire company's engineers. You certainly know how to make friends.
            Robert Crocker
          • Get your facts right

            It's not "30 seconds", it was "60". It's not StorageWorks, it's SecureWorks.

            It's interesting that you call this ?splitting hairs? when my question is about as clear as it gets and Apple refuses to answer it. It's also interesting that you're refusing to acknowledge the information that Macalope (a site dedicated to bashing me) is providing. It's also funny that Macalope just proved itself wrong based on their own internal Apple sources.
          • Who is splitting the hairs here?

            The point is this; if, and only if, Apple eventually releases some kind of patch for the SecureWorks exploit and we then know that the exploit did indeed exist then the hair splitting will be entirely on behalf of Apple, nobody else.

            And interestingly enough that still will not make Apple an actual liar. And they obviously are quite aware of that and if it turns out they have been made ?aware? of the exploit it would explain perfectly why they referred only to having no such exploit demonstrated to them as opposed to saying they have never been informed in any official manner that the exploit is possible. Sticking to the factual statement that they have had nothing demonstrated to them when they have not been shown actual ?proof? of how the exploit is accomplished, or even that it can be accomplished at all is a much safer and preferable statement from a PR point of view.

            It?s always so interesting that people keep saying that Apple is being branded as a liar when in fact I have not seen anyone show or explain how Apple would be caught in an actual lie in this matter. While some people may be opposed to Georges assertions that he has reason to believe the exploit exists, he certainly has not claimed that Apple is a liar, in fact George has gone to some length to show just how the kind of lie most people are claiming Apple might be accused of in this case isn?t possible given what Apple and Maynor have both said so far.

            The bottom line here is if you do not like the fact that Apples statements may be observed as splitting hairs if they have actually been ?informed? of the exploit as Maynor claimed then that is an issue you should take up with Apple. The whole splitting hairs question can in no way be fairly thrown into the faces of people who are simply asking the question ?Did Maynor or SecureWorks contact Apple about the exploit as Maynor appears to have claimed they did in the Krebs interview??

            Apple could have simply said ?SecureWorks representatives have informed us that they believe they have the ability to perform this exploit on a stock wireless Macbook, but to this point they have refused all invitations to demonstrate such an exploit to Apple or to share with us any evidence of any kind as to how such an exploit can be performed?? Now one would expect the only reason for Fox not making this statement would be because the first part is not true; because at no time did SecureWorks or Maynor ever contact Apple about the exploit. But see, we have a problem because when Apple is asked directly if that is the case they simply refuse to answer, and that is of course problematic because if it was true that Maynor never contacted them it would be highly beneficial to make that statement as it would go a very long way to discrediting Maynor who claims such contact was made.

            Further, given the uproar over the whole issue, if Maynor had lied, or if Krebs screwed up his report somehow it would be of massive benefit to SecureWorks to have made some statement by now that there is some error in Krebs interview report, that in fact any contact SecureWorks or Maynor have had with Apple has never been in relation to any stock Apple wireless system. Yet SecureWorks has made no such move either, which would be extremely foolish and damaging to them in the end not to make such a statement by now if misleading statements were made by Krebs or errors in Krebs report exists.

            But either way, it's Apple making the hair splitting statements and refusing to clarify them if they can, nobody else.
          • You talking about facts? Hilarious.

            George, you should be the last one to be talking about "facts,"
            considering your stating as fact that Atheros had no part in the
            wireless drivers. That one really panned out, eh?

            You certainly are full of yourself, the Macalope is hardly dedicated
            to bashing you. It's just that you spew so much bull that you're an
            easy target.
          • George and Cayble


            No your question is NOT clear. It's about as deliberately open-ended as you could make it.

            If you have information that SecureWorks provided something specific to Apple then ask them about that specific item. This "in any manner" formulation means that if Apple missed an email that was sent to the wrong department then they'd be a liar. What is the normal procedure for notifying a company of a software flaw? Did SecureWorks follow that procedure?


            Actually SecureWorks very quikly issued a release pointing out that in fact the Apple drivers and software were not used.
            "This video presentation at Black Hat demonstrates vulnerabilities found in wireless device drivers. Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook. As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available.

            Robert Crocker
          • Cayble, we'll never know according to you

            "The point is this; if, and only if, Apple eventually releases some
            kind of patch for the SecureWorks exploit and we then know that
            the exploit did indeed exist then the hair splitting will be entirely
            on behalf of Apple, nobody else."

            The problem is it looks unlikely that we'll ever know what "the
            SecureWorks exploit" is, if it ever really existed in the first place.

            For example, take a look at Maynor and Ellch's abstract for
            Toorcon which is coming up at the end of this month:

            "Recently we gave a public demonstration of an exploit in a
            wireless device driver. We thought it was timely, important, but
            most importantly it was super cool. Since the first details of our
            demo were reported two camps instantly formed, people who
            thought the work and research was good and people thought we
            faked everything and we are horrible people. How could
            opinions differ go greatly? What is the story behind exactly what
            happened and more importantly what does this response mean
            for the security industry as a whole? This presentation won't be a
            typical as it will cover the complete story, but it will also offer
            analysis and commentary of public responses while at the same
            time giving anyone who has a question a chance to have it
            answered. "

            From the looks of that, Maynor and Ellch will be trying to shift
            the spotlight from the supposed exploit to the reaction to the
            supposed exploit. Personally, I think that will blow up in their
            faces, but we'll see how it goes.

            Ellch himself has taken the damage control approach of saying,
            "well at least I can find exploits" by saying that he discovered the
            intel centrino exploit that was recently patched. Not even close
            to good enough in my book.

            And then there's the shoddy reporting by Krebs and Ou. Take a
            look at Ou's post on Atheros' involvement in writing the drivers
            - I've never seen anything so full of holes. Clearly he let his
            emotions get in the way of responsibly reporting the issue.
          • in a couple days

            I think I got it now...Mac blogs will start reporting that a wireless
            patch is coming out....

            in a couple days.....
          • what blogs?

            George, I'd like to see a link to which "Mac bloggers" are reporting
            that "Apple insiders are leaking that may be releasing a wireless
            patch soon"
          • More bogus accusations...

            "BTW, the Mac bloggers are reporting that Apple insiders are
            leaking that may be releasing a wireless patch soon. It seems
            they're complaining over the fact that SecureWorks wouldn't share
            the source code for the exploit with them. Just the crash dumps
            and disassembled driver wasn't enough for them and they didn't
            feel like doing the work themselves."

            What the hell? Who's saying this George? Where do you get this
          • Quite seriously, this is such drivel

            There's no satisfaction in conversing with someone who consistently makes such idiotic comments. It's really not worth it.

            There's no concrete content in this reply because there was no intelligent content in George's. It's just my opinion, feel free to delete it, I just feel better having typed it. George you may resume trolling.
          • Message has been deleted.

    • FALSE

      You clearly have no clue what you are talking about. Vista will not create IP6 traffic if it is given an IP4 address.

      Please check your facts.