« on: October 24, 2016, 01:55:23 PM »
What I don't understand in all this is why all the local DNS caches lost their entries for the DDoSed DYN name servers. I would think that if they didn't get a reply they would still retain their record. I guess the problem here is that the DNS system makes no distinction between refreshing a service IP and checking if the service is permanently removed. It just sends requests and always interprets a reply as the former, and no reply as the latter? The latter should require the service not responding for a week straight or something. That would remove the incentive to DDoS centralized name servers by quite a bit. EDIT: Although I'm not entirely sure how these services were set up. I assume it was .com->DYN->company->etc. That way even DNS-based load balancing should still work, unless DYN could and did that too.
DNS is a pyramid. (Potentially) One pyramid internal to your organization and one external. Your suggestion of a week is unreasonable due to the height and breadth of that external pyramid. We basically all use the same DNS. For instance, I just recently moved our company from using ADFS to OneLogin for our Office 365 federation; you don't need to know what means, other than a configuration/service change from something on my network, to one on someone else's. That change requires DNS records to update. While that change gets updated across DNS, you can't receive your email; it gets delivered to your mailbox, but Office 365 will not be able to authenticate you. Your suggestion would mean it would take at minimum a week for that change. In actuality, it could take months depending on your ISP, and who they use, and who that person uses, etc.