Name resolution in the .MIL domain
Several of our researchers have pointed out that sites in the .MIL TLD are unreachable. Did a nslookup and got a interesting result server ns.mit.edu Default Server: NOC-CUBE.mit.edu Address: 18.18.2.25 Aliases: ns.mit.edu www.army.mil Server: NOC-CUBE.mit.edu Address: 18.18.2.25 Aliases: ns.mit.edu *** NOC-CUBE.mit.edu can't find www.army.mil: No response from server www.navy.mil Server: NOC-CUBE.mit.edu Address: 18.18.2.25 Aliases: ns.mit.edu *** NOC-CUBE.mit.edu can't find www.navy.mil: No response from server I know it's MIT's nameserver just wanted to be sure the problem was not on our end. Send Harvard/MIT jokes to me offlist Back to the subject at hand is anyone else seeing the same issue with the .MIL domain Thanks in advance - Scott
Re: Name resolution in the .MIL domain
On Fri, 19 Nov 2004 15:58:03 -0500 (EST), Scott McGrath [EMAIL PROTECTED] wrote: Several of our researchers have pointed out that sites in the .MIL TLD are unreachable. Did a nslookup and got a interesting result SNIP Back to the subject at hand is anyone else seeing the same issue with the .MIL domain Looks ok here : [EMAIL PROTECTED] ~]$ host www.army.mil www.army.mil has address 140.183.234.10 [EMAIL PROTECTED] ~]$ host www.navy.mil www.navy.mil is an alias for WWW.NAVY.M7Z.NET. WWW.NAVY.M7Z.NET has address 64.156.240.36 WWW.NAVY.M7Z.NET has address 64.156.240.43 Thanks in advance - Scott -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
.mil domain
Our whole netblock 202.154.64.0/18 seems to be barred from anything .mil. Domain name resolution, MX, IP traceroute, the lot. Anyone able to shed any light on this? Any advice/feedback appreciated. Regards, Steve
Re: .mil domain
On Fri, 30 May 2003, Steve Waddington wrote: Our whole netblock 202.154.64.0/18 seems to be barred from anything .mil. Domain name resolution, MX, IP traceroute, the lot. Anyone able to shed any light on this? note, I don't work for the DoD (.mil owners) BUT, this isn't the first time someone has mentioned this kind of problem... normally the 'reason' is: Hackers came from there or we don't want to allow these folks access to our network for 'other' reasons In reality its their little piece of the pie, if they don't want you to eat it they can keep you outta the fridge :( Any advice/feedback appreciated. Regards, Steve
Re: .mil domain
Thus spake Steve Waddington [EMAIL PROTECTED] Our whole netblock 202.154.64.0/18 seems to be barred from anything .mil. Domain name resolution, MX, IP traceroute, the lot. Anyone able to shed any light on this? US DoD has a longstanding policy of blocking all addresses which appear to be of non-US origin. Your block comes from APNIC, so that's probably what's happening to you. S Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking
Re: .mil domain
--On Friday, May 30, 2003 21:15 +0800 Steve Waddington [EMAIL PROTECTED] wrote: Our whole netblock 202.154.64.0/18 seems to be barred from anything .mil. Domain name resolution, MX, IP traceroute, the lot. Anyone able to shed any light on this? In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed
Re: .mil domain
In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed as this means they have a different definition of the internet than the one to which i, and i suspect others, are used, why should i and others accept their routes? randy
Re: .mil domain
--On Friday, May 30, 2003 11:00 -0700 Randy Bush [EMAIL PROTECTED] wrote: In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed as this means they have a different definition of the internet than the one to which i, and i suspect others, are used, why should i and others accept their routes? I don't know. Why should you?
Re: .mil domain
On Fri, 30 May 2003, John Payne wrote: --On Friday, May 30, 2003 21:15 +0800 Steve Waddington [EMAIL PROTECTED] wrote: Our whole netblock 202.154.64.0/18 seems to be barred from anything .mil. Domain name resolution, MX, IP traceroute, the lot. Anyone able to shed any light on this? In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed Maybe the rest of the net should return the favor and drop .mil routes until they decide to get working abuse@ and postmaster@ addresses. They seem to think its fine that .mil boxes can spam and attack civilian networks and apparently arent interested in hearing the complaints. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: .mil domain
On Fri, 30 May 2003, Dan Hollis wrote: On Fri, 30 May 2003, John Payne wrote: --On Friday, May 30, 2003 21:15 +0800 Steve Waddington [EMAIL PROTECTED] wrote: Our whole netblock 202.154.64.0/18 seems to be barred from anything .mil. Domain name resolution, MX, IP traceroute, the lot. Anyone able to shed any light on this? In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed Maybe the rest of the net should return the favor and drop .mil routes until they decide to get working abuse@ and postmaster@ addresses. They seem to think its fine that .mil boxes can spam and attack civilian networks and apparently arent interested in hearing the complaints. I can't and won't speak for others, but when i was handling abuse issues I never once had a problem making contact with responsible people at .mil sites to get issues addressed. 9 times out of 10 it took all of one phone call or one email. _ Tony Rowley | To confine our attention to terrestrial Lansdowne PA USA | matters would be to limit the human spirit. [EMAIL PROTECTED] | -- Professor Stephen Hawking
Moving G and H off .MIL hosts (was Re: .mil domain)
On Fri, 30 May 2003, Randy Bush wrote: In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed as this means they have a different definition of the internet than the one to which i, and i suspect others, are used, why should i and others accept their routes? If the .MIL network can't provide International Internet service, is it time to move the g.root-servers.net and h.root-servers.net off their current .MIL hosts to better locations to serve the entire Internet. Otherwise .MIL policies reduce the robustness of the overall Internet. Heck, even when Paul Vixie did his original black-hole lists, he made certain that even the worst spammers could still use f.root-servers.net.
Re: .mil domain
On Fri, 30 May 2003, Randy Bush wrote: In another context, someone claimed that zone managers should be able to create zone-specific semantics, for something unique to that context. Eventually, the recieved wisdom available to that particular context was that zone-specific semantics would violate the law of minimum astonishment, and discussion of zone-specific semantics was barred by the process available to that context. Not accepting their difference is different from asserting that they may not differ.
Re: .mil domain
On Fri, 30 May 2003, Dan Hollis wrote: On Fri, 30 May 2003, Tony Rowley wrote: I can't and won't speak for others, but when i was handling abuse issues I never once had a problem making contact with responsible people at .mil sites to get issues addressed. 9 times out of 10 it took all of one phone call or one email. What email address? Last time we were smurfed by the army it took 3 months of phone calls to get them to stop it. From the info supplied in a lookup I'd do a little detective work and find a working website related to the domain in question and go from there. It's cheesy but it worked. _ Tony Rowley | To confine our attention to terrestrial Lansdowne PA USA | matters would be to limit the human spirit. [EMAIL PROTECTED] | -- Professor Stephen Hawking
Re: .mil domain
Thus spake Randy Bush [EMAIL PROTECTED] In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed as this means they have a different definition of the internet than the one to which i, and i suspect others, are used, why should i and others accept their routes? For the same reason anyone else accepts their routes -- because they want to be able to reach them. If they don't want to reach _you_, that's their choice. Nothing prohibits any part on the internet from blocking other parties they believe to be dangerous, whether it be due to warfare, spam, or other considerations. S Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking
Re: .mil domain
On Fri, 30 May 2003, Tony Rowley wrote: On Fri, 30 May 2003, Dan Hollis wrote: On Fri, 30 May 2003, Tony Rowley wrote: I can't and won't speak for others, but when i was handling abuse issues I never once had a problem making contact with responsible people at .mil sites to get issues addressed. 9 times out of 10 it took all of one phone call or one email. What email address? Last time we were smurfed by the army it took 3 months of phone calls to get them to stop it. From the info supplied in a lookup I'd do a little detective work and find a working website related to the domain in question and go from there. It's cheesy but it worked. I guess you were lucky then, the addresses we were smurfed from had no related website, and the phone # on the whois was outdated. When I finally did manage to get a hold of a network engineer they didnt seem particularly interested in hearing about the problem. Hence it took 3 months of constant calling to get their smurf amps shut down. And they *still* dont have a working abuse@ or postmaster@ which imho is simpy irresponsible for such an organization. Someone should get sacked. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: .mil domain
Precedent, Randy, Precedent ! UUnet and few others a long time ago had a differing definition of peering that most of us thought, at the time... But were so BIG, we accepted their routes, anyway. * shrug * A secret black list is a real bugger if: No one is allowed to mention it exists. If you get on it, there is now way off, no right of redress. No one can -tell- you you are on it. No one can tell you if you -aren't-. And if you -somehow- figure out your on it, they can't admit it, or the -reason- you are on it, or take you off even if they wanted. Any and all of the above. On a lighter note, the US Senate recently unsealed the American McCarthy Hearing records. :O:* :} Randy Bush wrote: In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed as this means they have a different definition of the internet than the one to which i, and i suspect others, are used, why should i and others accept their routes? randy
Re: .mil domain
At 01:15 PM 30/05/2003 -0500, Stephen Sprunk wrote: For the same reason anyone else accepts their routes -- because they want to be able to reach them. If they don't want to reach _you_, that's their choice. As Sean Donelan pointed out, the fact that 2 of the root name servers are inside their network, there is more to the issue than you suggest I for example want people in Australia to be able to reliably lookup DNS info on my domains. The .mil people have decided to hamper this process. ---Mike
Re: .mil domain
On Fri, 30 May 2003, Mike Tancsa wrote: At 01:15 PM 30/05/2003 -0500, Stephen Sprunk wrote: For the same reason anyone else accepts their routes -- because they want to be able to reach them. If they don't want to reach _you_, that's their choice. As Sean Donelan pointed out, the fact that 2 of the root name servers are inside their network, there is more to the issue than you suggest I for example want people in Australia to be able to reliably lookup DNS info on my domains. The .mil people have decided to hamper this process. I agree. The root servers should have no filtering in place to block any demographics (unless of course a given node is DoSing them). The last time I tried to contact a .mil to report an open relay that was being abused, I was accused of being a spammer that had hacked their server. Since that time I reject .mil mail. Justin
Re: Moving G and H off .MIL hosts (was Re: .mil domain)
If the .MIL network can't provide International Internet service, is it time to move the g.root-servers.net and h.root-servers.net off their current .MIL hosts to better locations to serve the entire Internet. Otherwise .MIL policies reduce the robustness of the overall Internet. Heck, even when Paul Vixie did his original black-hole lists, he made certain that even the worst spammers could still use f.root-servers.net. Whatever filtering some .MIL sites may or may not be doing, I don't believe that g or h.root-servers.net are affected. I've tried tracing to them from systems in .uk, .tw, .ru, .kr, .and hk and I get the same results from them as I do from my ARIN allocated US IP blocks. (trace to G with no problem, H has ICMP blocked at gw328-hroot.arl.army.mil, but UDP port 53 seems to get though fine) To be honest, I'd be rather surprised if .MIL as a whole did ANYTHING jointly. The number of independant networks, AS's, borders and administrators would make it really difficult for any blanket policy to take effect everywhere. -- Kevin
RE: .mil domain
Suggestion: migrate the current MIL root servers to the DREN network. Thus they would be easily accessible from DoD's networks, while residining in front of any MIL filters or blackhole routers relative to the rest of the Internet. On Fri, 30 May 2003, Mike Tancsa wrote: At 01:15 PM 30/05/2003 -0500, Stephen Sprunk wrote: For the same reason anyone else accepts their routes -- because they want to be able to reach them. If they don't want to reach _you_, that's their choice. As Sean Donelan pointed out, the fact that 2 of the root name servers are inside their network, there is more to the issue than you suggest I for example want people in Australia to be able to reliably lookup DNS info on my domains. The .mil people have decided to hamper this process. I agree. The root servers should have no filtering in place to block any demographics (unless of course a given node is DoSing them). The last time I tried to contact a .mil to report an open relay that was being abused, I was accused of being a spammer that had hacked their server. Since that time I reject .mil mail. Justin
Re: .mil domain
One already is. The H server resides at the Army Research Lab, which is connected to DREN (AS668). FWIW there is not a single homogeneous .mil network. There are several DoD networks that provide service to customer organizations, and some of the major public DoD sites are also directly connected to commercial ISP's. Also different services and sites may have different policies as to who they allow access from. So without knowing the destination address, it's hard to be able to tell someone who thinks they are being blocked who to contact. If you can't reach a site directly, try their upstream providers and see if they can help provide a POC. Try looking at the aspath for the destination, and if any of the following show up, try these POC's: AS668 (DREN)866-NOC-DREN or [EMAIL PROTECTED] AS7170 (ATT-DISC)888-DISC-USA or [EMAIL PROTECTED] AS568 (DISN)DISA GNOSC at 703-607-4001 or the Columbus RNOSC at 800-554-3476 For security related issues, try contacting the DoD CERT (www.cert.mil, 800-357-4231). All of the services have their own CERT as well, however they all coordinate with this organization. -Mark Ganzer Space Naval Warfare Systems Center, San Diego [EMAIL PROTECTED] note: this is posted from my personal email account, not my work account). Mark Borchers wrote: Suggestion: migrate the current MIL root servers to the DREN network. Thus they would be easily accessible from DoD's networks, while residining in front of any MIL filters or blackhole routers relative to the rest of the Internet. On Fri, 30 May 2003, Mike Tancsa wrote: At 01:15 PM 30/05/2003 -0500, Stephen Sprunk wrote: For the same reason anyone else accepts their routes -- because they want to be able to reach them. If they don't want to reach _you_, that's their choice. As Sean Donelan pointed out, the fact that 2 of the root name servers are inside their network, there is more to the issue than you suggest I for example want people in Australia to be able to reliably lookup DNS info on my domains. The .mil people have decided to hamper this process. I agree. The root servers should have no filtering in place to block any demographics (unless of course a given node is DoSing them). The last time I tried to contact a .mil to report an open relay that was being abused, I was accused of being a spammer that had hacked their server. Since that time I reject .mil mail. Justin
Re: .mil domain
Cough, bad idea, cough. From past experience I don't think that you'll find the DREN to be substantially more reliable as far as reachability and blocking policies go than most of the rest of .mil. It USED to be more open, but there were some policy changes, some peering arangements, and voila they are under the same guidelines. Suggestion: migrate the current MIL root servers to the DREN network. Thus they would be easily accessible from DoD's networks, while residining in front of any MIL filters or blackhole routers relative to the rest of the Internet. On Fri, 30 May 2003, Mike Tancsa wrote: At 01:15 PM 30/05/2003 -0500, Stephen Sprunk wrote: For the same reason anyone else accepts their routes -- because they want to be able to reach them. If they don't want to reach _you_, that's their choice. As Sean Donelan pointed out, the fact that 2 of the root name servers are inside their network, there is more to the issue than you suggest I for example want people in Australia to be able to reliably lookup DNS info on my domains. The .mil people have decided to hamper this process. I agree. The root servers should have no filtering in place to block any demographics (unless of course a given node is DoSing them). The last time I tried to contact a .mil to report an open relay that was being abused, I was accused of being a spammer that had hacked their server. Since that time I reject .mil mail. Justin -- -=-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=-=- Ryan Mooney [EMAIL PROTECTED] -=-=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=--=-=-=-=-=-=-
RE: .mil domain
Counter: leave everything as it is. If they are willing to provide the hardware, bandwidth, and administrative costs to run root servers, they can block whoever they want. Just like if you run a web server you can block anyone from accessing it that you want. If you don't like it, start up your own root zone, there isn't anything stopping you. Not that it matters much in the big scheme of things; most modern resolvers will give preference to root servers they can actually reach. I for one am pretty happy with where E, G, and H are. Cogent and VeriSign's networks can hardly handle power cycles, let alone nuclear wars. --- Michael Damm, MIS Department, Irwin Research Development V: 509.457.5080 x298 F: 509.577.0301 E: [EMAIL PROTECTED] -Original Message- From: Mark Borchers [mailto:[EMAIL PROTECTED] Sent: Friday, May 30, 2003 12:09 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; Mike Tancsa Subject: RE: .mil domain Suggestion: migrate the current MIL root servers to the DREN network. Thus they would be easily accessible from DoD's networks, while residining in front of any MIL filters or blackhole routers relative to the rest of the Internet. On Fri, 30 May 2003, Mike Tancsa wrote: At 01:15 PM 30/05/2003 -0500, Stephen Sprunk wrote: For the same reason anyone else accepts their routes -- because they want to be able to reach them. If they don't want to reach _you_, that's their choice. As Sean Donelan pointed out, the fact that 2 of the root name servers are inside their network, there is more to the issue than you suggest I for example want people in Australia to be able to reliably lookup DNS info on my domains. The .mil people have decided to hamper this process. I agree. The root servers should have no filtering in place to block any demographics (unless of course a given node is DoSing them). The last time I tried to contact a .mil to report an open relay that was being abused, I was accused of being a spammer that had hacked their server. Since that time I reject .mil mail. Justin
Re: .mil domain
On Fri, May 30, 2003 at 01:28:01PM -0700, Mike Damm wrote: Counter: leave everything as it is. If they are willing to provide the hardware, bandwidth, and administrative costs to run root servers, they can block whoever they want. Just like if you run a web server you can block anyone from accessing it that you want. If you don't like it, start up your own root zone, there isn't anything stopping you. Not that it matters much in the big scheme of things; most modern resolvers will give preference to root servers they can actually reach. I for one am pretty happy with where E, G, and H are. Cogent and VeriSign's networks can hardly handle power cycles, let alone nuclear wars. You're either smoking the finest quality crack I've ever seen, or using the common sense of a flea on dope. RFC2870, Root Name Server Operational Requirements, quite clearly states: 2.6 Root servers MUST answer queries from any internet host, i.e. may not block root name resolution from any valid IP address, except in the case of queries causing operational problems, in which case the blocking SHOULD last only as long as the problem, and be as specific as reasonably possible. I highly doubt that the maintainers of the two .mil hosted servers are actually blocking queries from them. In fact, this is very much like saying Mr Vixie and the ISC cannot block people accessing the remainder of their network, just because they host a root name server. Yes, I think I go with the smoking crack option.
Re: .mil domain
Speaking on Deep Background, the Press Secretary whispered: I guess you were lucky then, the addresses we were smurfed from had no related website, and the phone # on the whois was outdated. When I finally did manage to get a hold of a network engineer they didnt seem particularly interested in hearing about the problem. Hence it took 3 months of constant calling to get their smurf amps shut down. And they *still* dont have a working abuse@ or postmaster@ which imho is simpy irresponsible for such an organization. Someone should get sacked. Your escalation route goes to the OSD-CIO (Office of Secretary Defense) in the 5-sided building. That was Art Money's office but I don't know if he's still there. I'd cc: the Inspector General for whichever branch as well...and the FTC. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: .mil domain
David Lesher wrote: Your escalation route goes to the OSD-CIO (Office of Secretary Defense) in the 5-sided building. That was Art Money's office but I don't know if he's still there. I'd cc: the Inspector General for whichever branch as well...and the FTC. In other words, when one can't get a response, check with NANOG. :) -Jack
RE: .mil domain
Let me say this: I am former military.. Worked in Military IT. AND worst case situation, use www.cert.mil Or if not that bad.. Call the public affairs officer at the branch of service.. Tell him you need help, tell him to put you in contact with the local Info systems type. and away u go.. I wish I still had the DoD and BoS NOC #'s but I don't.. If you want to complain to a US Military net admin and just find one, well it is not for lack of contact info.. It is lack of trying. And yes I have sent stuff to the military.. Recently got a huge nessus scan and DoS attack attempt from a military block.. went to that services web site and found the Info systems # on the web.. AND IT WORKED. We used to say a Marine was not happy unless he had something to complain about... But it is the same for most all of us. just my 10 cents worth.. Inflation ya know... J Lazyness is just the act of being tired before doing the work Your escalation route goes to the OSD-CIO (Office of Secretary Defense) in the 5-sided building. That was Art Money's office but I don't know if he's still there. I'd cc: the Inspector General for whichever branch as well...and the FTC. In other words, when one can't get a response, check with NANOG. :) -Jack
.mil domain root only hosted by one server??
I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server. I thought that was a bit odd. I'm sure that one server is more than enough to handle the queries for all the .mil domains with no problem, but it doesn't seem very redundant or safe at all. Especially for something our military uses. There's something that could be beefed up a little bit. My other thought (which others may know) was that perhaps the military runs G.ROOT-SERVERS.NET and I'm just not aware of it. Maybe it's a policy to only run .mil on what they can control? Even still, I think it might be in their best interest to setup a few more. These are the results I got when I queried A.ROOT-SERVERS.NET: ; DiG 9.2.1 @a.root-servers.net mil. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;mil. IN A ;; AUTHORITY SECTION: mil.86400 IN SOA G.ROOT-SERVERS.NET. HOSTMASTER.N IC.mil. 2002082000 3600 900 1209600 86400 ;; Query time: 390 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Wed Aug 21 15:38:58 2002 ;; MSG SIZE rcvd: 90 I'd like comments from anyone with more information on this. I'm just curious as to why it is this way and what the reasoning behind it is. Maybe I'll email hostmaster.nic.mil and ask. ;) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
Re: .mil domain root only hosted by one server??
On Wed, 21 Aug 2002 15:46:22 EDT, Vinny Abello [EMAIL PROTECTED] said: I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server. I thought that was a bit odd. I'm sure that one server is more than The fact that you only see one doesn't mean there's only one. And note that the .MIL domain perhaps has a vested interest in *NOT* having a fully redundant view of the world accessible from outside. Sure, it's one point of failure - but if you're battening down the hatches because of an attack, it's also a one-stop place to cut yourself off -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg04612/pgp0.pgp Description: PGP signature
Re: .mil domain root only hosted by one server??
Ooops... My apologies (before I get slammed). I forgot the query type of NS in my dig. ; DiG 9.2.1 @a.root-servers.net ns mil. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 11 ;; QUESTION SECTION: ;mil. IN NS ;; ANSWER SECTION: mil.86400 IN NS E.ROOT-SERVERS.NET. mil.86400 IN NS PAC2.NIPR.mil. mil.86400 IN NS CON1.NIPR.mil. mil.86400 IN NS B.ROOT-SERVERS.NET. mil.86400 IN NS A.ROOT-SERVERS.NET. mil.86400 IN NS EUR1.NIPR.mil. mil.86400 IN NS PAC1.NIPR.mil. mil.86400 IN NS H.ROOT-SERVERS.NET. mil.86400 IN NS G.ROOT-SERVERS.NET. mil.86400 IN NS CON2.NIPR.mil. mil.86400 IN NS EUR2.NIPR.mil. ;; ADDITIONAL SECTION: E.ROOT-SERVERS.NET. 360 IN A 192.203.230.10 PAC2.NIPR.mil. 86400 IN A 199.252.155.234 CON1.NIPR.mil. 86400 IN A 199.252.175.234 B.ROOT-SERVERS.NET. 360 IN A 128.9.0.107 A.ROOT-SERVERS.NET. 360 IN A 198.41.0.4 EUR1.NIPR.mil. 86400 IN A 199.252.154.234 PAC1.NIPR.mil. 86400 IN A 199.252.180.234 H.ROOT-SERVERS.NET. 360 IN A 128.63.2.53 G.ROOT-SERVERS.NET. 360 IN A 192.112.36.4 CON2.NIPR.mil. 86400 IN A 199.252.173.234 EUR2.NIPR.mil. 86400 IN A 199.252.143.234 ;; Query time: 500 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Wed Aug 21 16:07:56 2002 ;; MSG SIZE rcvd: 412 That's better. :) Go back to your regularly scheduled threads. At 03:04 PM 8/21/2002 -0500, you wrote: On Wed, Aug 21, 2002 at 03:46:22PM -0400, Vinny Abello wrote: I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server. I thought that was a bit odd. I'm sure that one server is more than enough to handle the queries for all the .mil domains with no problem, but it doesn't seem very redundant or safe at all. Especially for something our military uses. There's something that could be beefed up a little bit. My other thought (which others may know) was that perhaps the military runs G.ROOT-SERVERS.NET and I'm just not aware of it. Maybe it's a policy to only run .mil on what they can control? Even still, I think it might be in their best interest to setup a few more. These are the results I got when I queried A.ROOT-SERVERS.NET: ; DiG 9.2.1 @a.root-servers.net mil. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;mil. IN A ;; AUTHORITY SECTION: mil.86400 IN SOA G.ROOT-SERVERS.NET. HOSTMASTER.N IC.mil. 2002082000 3600 900 1209600 86400 U. The SOA MNAME field is always a single server. bastet[~]$ dig +short mil ns @g.root-servers.net PAC1.NIPR.mil. H.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. CON2.NIPR.mil. EUR2.NIPR.mil. E.ROOT-SERVERS.NET. PAC2.NIPR.mil. CON1.NIPR.mil. B.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. EUR1.NIPR.mil. bastet[~]$ -Pete Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
Re: .mil domain root only hosted by one server??
the .mil domain has an master source, just like .com or your tld here it has a list of authoritative servers, just like .com or your tld here You are reading your response incorrectly. your dig query ask for the default, which is an A record. .MIL has no A rr at the apex. The authority for .MIL, according to a.root-servers.net, is g.root-servers.net. the NSlist for mil is: $ dig mil. ns ; DiG 8.3 mil. ns ;; res options: init recurs defnam dnsrch ;; got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 11 ;; QUERY SECTION: ;; mil, type = NS, class = IN ;; ANSWER SECTION: mil.2D IN NSCON1.NIPR.mil. mil.2D IN NSCON2.NIPR.mil. mil.2D IN NSEUR1.NIPR.mil. mil.2D IN NSEUR2.NIPR.mil. mil.2D IN NSPAC1.NIPR.mil. mil.2D IN NSPAC2.NIPR.mil. mil.2D IN NSA.ROOT-SERVERS.NET. mil.2D IN NSH.ROOT-SERVERS.NET. mil.2D IN NSG.ROOT-SERVERS.NET. mil.2D IN NSB.ROOT-SERVERS.NET. mil.2D IN NSE.ROOT-SERVERS.NET. - all over the world. Some inside the military, some out. I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server. I thought that was a bit odd. I'm sure that one server is more than enough to handle the queries for all the .mil domains with no problem, but it doesn't seem very redundant or safe at all. Especially for something our military uses. There's something that could be beefed up a little bit. My other thought (which others may know) was that perhaps the military runs G.ROOT-SERVERS.NET and I'm just not aware of it. Maybe it's a policy to only run .mil on what they can control? Even still, I think it might be in their best interest to setup a few more. These are the results I got when I queried A.ROOT-SERVERS.NET: ; DiG 9.2.1 @a.root-servers.net mil. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;mil. IN A ;; AUTHORITY SECTION: mil.86400 IN SOA G.ROOT-SERVERS.NET. HOSTMASTER.N IC.mil. 2002082000 3600 900 1209600 86400 ;; Query time: 390 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Wed Aug 21 15:38:58 2002 ;; MSG SIZE rcvd: 90 I'd like comments from anyone with more information on this. I'm just curious as to why it is this way and what the reasoning behind it is. Maybe I'll email hostmaster.nic.mil and ask. ;) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN
Re: .mil domain root only hosted by one server??
% dig +norec a.root-servers.net. mil. ns ; DiG 9.3.0s20020722 +norec a.root-servers.net. mil. ns ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 17626 ;; flags: qr aa; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 11 ;; QUESTION SECTION: ;mil. IN NS ;; ANSWER SECTION: mil.86400 IN NS PAC1.NIPR.mil. mil.86400 IN NS H.ROOT-SERVERS.NET. mil.86400 IN NS G.ROOT-SERVERS.NET. mil.86400 IN NS CON2.NIPR.mil. mil.86400 IN NS EUR2.NIPR.mil. mil.86400 IN NS E.ROOT-SERVERS.NET. mil.86400 IN NS PAC2.NIPR.mil. mil.86400 IN NS CON1.NIPR.mil. mil.86400 IN NS B.ROOT-SERVERS.NET. mil.86400 IN NS A.ROOT-SERVERS.NET. mil.86400 IN NS EUR1.NIPR.mil. ;; ADDITIONAL SECTION: PAC1.NIPR.mil. 86400 IN A 199.252.180.234 H.ROOT-SERVERS.NET. 360 IN A 128.63.2.53 G.ROOT-SERVERS.NET. 360 IN A 192.112.36.4 CON2.NIPR.mil. 86400 IN A 199.252.173.234 EUR2.NIPR.mil. 86400 IN A 199.252.143.234 E.ROOT-SERVERS.NET. 360 IN A 192.203.230.10 PAC2.NIPR.mil. 86400 IN A 199.252.155.234 CON1.NIPR.mil. 86400 IN A 199.252.175.234 B.ROOT-SERVERS.NET. 360 IN A 128.9.0.107 A.ROOT-SERVERS.NET. 360 IN A 198.41.0.4 EUR1.NIPR.mil. 86400 IN A 199.252.154.234 ;; Query time: 104 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net.) ;; WHEN: Wed Aug 21 13:15:28 2002 ;; MSG SIZE rcvd: 412 % doc -p -w mil Doc-2.2.3: doc -p -w mil Doc-2.2.3: Starting test of mil. parent is . Doc-2.2.3: Test date - Wed Aug 21 13:19:12 PDT 2002 Summary: No errors or warnings issued for mil. Done testing mil. Wed Aug 21 13:19:21 PDT 2002
Re: .mil domain root only hosted by one server??
[jabley@peppermill]% for n in a b c d e f g h i j k l m; do for dig ${n}.root-servers.net ns mil. | egrep -qi '^mil.*NS' \ for cmdand echo ${n}.root-servers.net provides a delegation for MIL. for done man doc randy
RE: .mil domain root only hosted by one server??
Perhaps the military has more interest in controlling access than in making sure John Q. Public is able to reach their sites? There's also little commercial interest in making sure they're available. I'm willing to bet the important stuff doesn't rely on DNS anyway. ;) Just my 2ยข Best regards, _ Alan Rowland USAF, Ret -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Vinny Abello Sent: Wednesday, August 21, 2002 12:46 PM To: [EMAIL PROTECTED] Subject: .mil domain root only hosted by one server?? I just stumbled across something I thought was interesting. All the .mil domain names used by the U.S. Military are served by one single root server. I thought that was a bit odd. I'm sure that one server is more than enough to handle the queries for all the .mil domains with no problem, but it doesn't seem very redundant or safe at all. Especially for something our military uses. There's something that could be beefed up a little bit. My other thought (which others may know) was that perhaps the military runs G.ROOT-SERVERS.NET and I'm just not aware of it. Maybe it's a policy to only run .mil on what they can control? Even still, I think it might be in their best interest to setup a few more. These are the results I got when I queried A.ROOT-SERVERS.NET: ; DiG 9.2.1 @a.root-servers.net mil. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;mil. IN A ;; AUTHORITY SECTION: mil.86400 IN SOA G.ROOT-SERVERS.NET. HOSTMASTER.N IC.mil. 2002082000 3600 900 1209600 86400 ;; Query time: 390 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Wed Aug 21 15:38:58 2002 ;; MSG SIZE rcvd: 90 I'd like comments from anyone with more information on this. I'm just curious as to why it is this way and what the reasoning behind it is. Maybe I'll email hostmaster.nic.mil and ask. ;) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN