I'm also a huge fan of the blog posts that suggest throwing away fundamental technologies and replacing them with half-bakery without understanding the problem domain or the problems that have been encountered and solved before.
Ok, since I’m obviously not nerdy and/or cynical enough to get the joke, what exactly is wrong with DNS? None of the links seem to indicate what exactly the problem with it is.
I think it’s implied that it’s been zero days since the underlying cause of some such problem turned out to be DNS related. The number zero being hard coded implies that the root of the problem is always DNS. But, let’s give MTU its due.
Two days ago one (!) User reported they got \\contso.com\dfsroot\profiles\user inaccessible (with errors loading the desktop etc).
For me the path was accessible, logging on the same server proved the path was accessible, 3 hours of the proper troubleshooting confirmed everything should work. But yet.
Skipping short the circumstances, one of (the 6 total) DCs decided what... DNS server isn't worth running. And for this one user DFS (last changed at least two years ago) decided to fall back to the file server from 2018, which, of course, pointed the DFS target to a no longer existant share.
Of course it wasn't DNS in this case. It was the DNS in this one.
As someone who administers DNS servers, I'm going to guess this is due to DNS being the first thing that gets blamed when something goes wrong; and it is almost never DNS.
"It’s always DNS" is basically tongue-in-cheek expression, because DNS issues are so frequently the cause of weird outages.
Almost anything you do on the internet (or local network) depends on DNS functioning correctly. DNS can get complex quickly - multiple servers (caching/authoritative/recursive) and protocols = lots of opportunities for something to be misconfigured. Cached entries in particular can be a nightmare if something gets outdated - it takes time for an update to a DNS record to propagate to all the other DNS servers on the Internet. All kinds of other random services etc depend on DNS records being correct and DNS working. When there’s an issue it’s not always immediately apparent that a DNS problem is the root cause, leading to lots of time chasing your tail/tearing your hair out trying to figure out what the heck broke.
I was setting up my own mail server the other day and re-realized how long global DNS propagation really takes.
I’m in the US so it was almost instantaneous between updating the dns records in domain register any being able to verify the changes with my own rDNS server.
But using a UK or NL dns server didn’t immediately pick up those recent changes.
Had to wait an additional 48 hrs for global dns propagation.
A change to a record in your zone should propagate to all your authoritative servers within a few seconds, using the DNS NOTIFY feature. If it doesn’t, that’s a bug in your provider’s setup.
Caches rely on the TTL of records in your zone, or the SOA negative TTL field for negative answers. You control these TTLs, so don’t set them to 48 hours. In most cases there’s little benefit to having TTLs longer than 1 hour. (I use 24 hours for TTLs on NS records and nameserver addresses, because they tend to be more stable, and it’s good for tail latency to keep them in caches longer.)
This is surprising. What was the TLD for your name? And can you share your SOA config for your zone? (don't need the names, I'm curious about the TTLs in all the SOA fields)
NTP, BGP, MTU and a lot of other acronyms should be also in the list of not trivial to trace root cause for things that goes from big outages to mysterious malfunctions, specially if there are many parties or servers involved. And the security protocols that are above those and more (DNSSEC, SSL, etc).
Shit can and must be troubleshooted with domain-specific tools.
DNS: I do have an ongoing problem specific to Unbound where it refuses to serve some entries in a transparent zone of DHCP-registered addresses that have written to config files properly but it insists on refusing to resolve certain hosts nondeterministically. But that's the only problem I have had in a long while because mostly infrastructure works out of necessity and scale.
xist|1 year ago
There's almost 300 RFCs related to DNS. It can do many things, and some of them are complex. But human error is almost always the root cause.
Your inability to configure DNS properly speaks more about you, then the service itself.
hi-v-rocknroll|1 year ago
unknown|1 year ago
[deleted]
zoky|1 year ago
EricE|1 year ago
https://medium.com/adevinta-tech-blog/its-not-always-dns-unl...
cwicklein|1 year ago
justsomehnguy|1 year ago
For me the path was accessible, logging on the same server proved the path was accessible, 3 hours of the proper troubleshooting confirmed everything should work. But yet.
Skipping short the circumstances, one of (the 6 total) DCs decided what... DNS server isn't worth running. And for this one user DFS (last changed at least two years ago) decided to fall back to the file server from 2018, which, of course, pointed the DFS target to a no longer existant share.
Of course it wasn't DNS in this case. It was the DNS in this one.
linuxdaemon|1 year ago
erikw|1 year ago
dervjd|1 year ago
Almost anything you do on the internet (or local network) depends on DNS functioning correctly. DNS can get complex quickly - multiple servers (caching/authoritative/recursive) and protocols = lots of opportunities for something to be misconfigured. Cached entries in particular can be a nightmare if something gets outdated - it takes time for an update to a DNS record to propagate to all the other DNS servers on the Internet. All kinds of other random services etc depend on DNS records being correct and DNS working. When there’s an issue it’s not always immediately apparent that a DNS problem is the root cause, leading to lots of time chasing your tail/tearing your hair out trying to figure out what the heck broke.
xyst|1 year ago
I’m in the US so it was almost instantaneous between updating the dns records in domain register any being able to verify the changes with my own rDNS server.
But using a UK or NL dns server didn’t immediately pick up those recent changes.
Had to wait an additional 48 hrs for global dns propagation.
fanf2|1 year ago
Caches rely on the TTL of records in your zone, or the SOA negative TTL field for negative answers. You control these TTLs, so don’t set them to 48 hours. In most cases there’s little benefit to having TTLs longer than 1 hour. (I use 24 hours for TTLs on NS records and nameserver addresses, because they tend to be more stable, and it’s good for tail latency to keep them in caches longer.)
bluejekyll|1 year ago
nevir|1 year ago
gmuslera|1 year ago
amacd31|1 year ago
hi-v-rocknroll|1 year ago
DNS: I do have an ongoing problem specific to Unbound where it refuses to serve some entries in a transparent zone of DHCP-registered addresses that have written to config files properly but it insists on refusing to resolve certain hosts nondeterministically. But that's the only problem I have had in a long while because mostly infrastructure works out of necessity and scale.
byteknight|1 year ago
Yasuraka|1 year ago
EricE|1 year ago
geerlingguy|1 year ago