[nSLUG] resolving bellaliant.net while on fibreop

D G Teed donald.teed at gmail.com
Sun Aug 16 20:03:44 ADT 2015


On Sun, Aug 16, 2015 at 4:17 PM, George N. White III <gnwiii at gmail.com> wrote:
> On Sun, Aug 16, 2015 at 9:22 AM, D G Teed <donald.teed at gmail.com> wrote:
>
>> Setup:
>>
>> fibreop home ISP
>>
>> Two Linux systems behind Asus router cannot resolve
>> bellaliant.net using bind9 (host,nslookup or dig)
>>
>> e.g. host bellaliant.net 192.168.0.10
>> where 192.168.0.10 is my Linux box.
>>
>> Linux systems can resolve bellaliant.net using 8.8.8.8 as resolver
>>
>> Windows system also behind Asus router can resolve bellaliant.net
>> using Linux systems as resolver - testing with nslookup on Windows
>>
>> Asus router can resolve bellaliant.net using nslookup on router
>> (Merlin firmware)
>>
>> Linux systems behind router can resolve random domains to lookup, such
>> as cbc.ca or england.com
>>
>> dig with +trace on Linux ends like this:
>>
>> ;; Received 489 bytes from 199.7.83.42#53(199.7.83.42) in 982 ms
>>
>> bellaliant.net. 172800 IN NS dns-nb00.aliant.net.
>> bellaliant.net. 172800 IN NS dns-ns00.aliant.net.
>> ;; Received 117 bytes from 192.54.112.30#53(192.54.112.30) in 10142 ms
>>
>> ;; connection timed out; no servers could be reached
>>
>
>
> "dig <host> +trace" adds "+dnssec".   "Applications don't necessarily need
> DNSSEC support to benefit from it. If the local nameserver is configured to
> make DNSSEC mandatory, then the applications will receive a SERVFAIL error
> trying to access any domain that is DNSSEC enabled if the signature data
> isn't valid."  See: https://wiki.debian.org/DNSSEC
>

I have the default from Debian 8, which is also in Redhat 6/7:

dnssec-validation auto;

In any case, there is no DS record:

host -t DS bellaliant.net
bellaliant.net has no DS record

So they don't expect DNSSEC.  Also, the plain host lookup check
without dig's +trace also fails from home, while host lookup from work
succeeds.

Home:
host -W60 bellaliant.net 198.164.30.2
;; connection timed out; no servers could be reached

Work:
 host -W60 bellaliant.net 198.164.30.2
Using domain server:
Name: 198.164.30.2
Address: 198.164.30.2#53
Aliases:

bellaliant.net has address 70.33.239.144

It seems like Bell is somehow blocking Linux/bind client
queries from their customers.  The clients work for everything
else out there.

But thanks for reporting on the +trace quirk...

>
>
>>
>> Linux can look up dns-nb00.aliant.net and get 198.164.30.2
>>
>> but then:
>>
>> host bellaliant.net 198.164.30.2
>> ;; connection timed out; no servers could be reached
>>
>> On my work Linux desktop, I can do the above lookup using 198.164.30.2
>> and get an answer.
>>
>> Since the Asus router can do the lookup, I can add 192.168.0.1 to
>> resolv.conf as a workaround, but I'm really puzzled as to why this
>> situation exists.  Does anyone else run their own bind resolver on
>> Bell FibreOp?  Just dealing with a bind9 resolver, not dealing with
>> running a domain's DNS.
>>
>> The failure seems specific to lookup of bellaliant.net while having a
>> Linux client talk to the Bell Aliant NS for resolving.
>> _______________________________________________
>> nSLUG mailing list
>> nSLUG at nslug.ns.ca
>> http://nslug.ns.ca/mailman/listinfo/nslug
>
>
>
>
> --
> George N. White III <aa056 at chebucto.ns.ca>
> Head of St. Margarets Bay, Nova Scotia
>
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug
>


More information about the nSLUG mailing list