[nSLUG] resolving bellaliant.net while on fibreop

George N. White III gnwiii at gmail.com
Mon Aug 17 15:42:13 ADT 2015


On Sun, Aug 16, 2015 at 8:03 PM, D G Teed <donald.teed at gmail.com> wrote:

> On Sun, Aug 16, 2015 at 4:17 PM, George N. White III <gnwiii at gmail.com>
> wrote:
> > On Sun, Aug 16, 2015 at 9:22 AM, D G Teed <donald.teed at gmail.com> wrote:
> >
> >> Setup:
> >>
> >> fibreop home ISP
> >>
> >> Two Linux systems behind Asus router cannot resolve
> >> bellaliant.net using bind9 (host,nslookup or dig)
> >>
> >> e.g. host bellaliant.net 192.168.0.10
> >> where 192.168.0.10 is my Linux box.
> >>
> >> Linux systems can resolve bellaliant.net using 8.8.8.8 as resolver
> >>
> >> Windows system also behind Asus router can resolve bellaliant.net
> >> using Linux systems as resolver - testing with nslookup on Windows
> >>
> >> Asus router can resolve bellaliant.net using nslookup on router
> >> (Merlin firmware)
> >>
> >> Linux systems behind router can resolve random domains to lookup, such
> >> as cbc.ca or england.com
> >>
> >> dig with +trace on Linux ends like this:
> >>
> >> ;; Received 489 bytes from 199.7.83.42#53(199.7.83.42) in 982 ms
> >>
> >> bellaliant.net. 172800 IN NS dns-nb00.aliant.net.
> >> bellaliant.net. 172800 IN NS dns-ns00.aliant.net.
> >> ;; Received 117 bytes from 192.54.112.30#53(192.54.112.30) in 10142 ms
> >>
> >> ;; connection timed out; no servers could be reached
> >>
> >
> >
> > "dig <host> +trace" adds "+dnssec".   "Applications don't necessarily
> need
> > DNSSEC support to benefit from it. If the local nameserver is configured
> to
> > make DNSSEC mandatory, then the applications will receive a SERVFAIL
> error
> > trying to access any domain that is DNSSEC enabled if the signature data
> > isn't valid."  See: https://wiki.debian.org/DNSSEC
> >
>
> I have the default from Debian 8, which is also in Redhat 6/7:
>
> dnssec-validation auto;
>
> In any case, there is no DS record:
>
> host -t DS bellaliant.net
> bellaliant.net has no DS record
>
> So they don't expect DNSSEC.  Also, the plain host lookup check
> without dig's +trace also fails from home, while host lookup from work
> succeeds.
>
> Home:
> host -W60 bellaliant.net 198.164.30.2
> ;; connection timed out; no servers could be reached
>
> Work:
>  host -W60 bellaliant.net 198.164.30.2
> Using domain server:
> Name: 198.164.30.2
> Address: 198.164.30.2#53
> Aliases:
>
> bellaliant.net has address 70.33.239.144
>
> It seems like Bell is somehow blocking Linux/bind client
> queries from their customers.  The clients work for everything
> else out there.
>

Interesting.   Do queries from Windows include some secret handshake
that would permit such discrimination?


>
> But thanks for reporting on the +trace quirk...
>
> >
> >
> >>
> >> Linux can look up dns-nb00.aliant.net and get 198.164.30.2
> >>
> >> but then:
> >>
> >> host bellaliant.net 198.164.30.2
> >> ;; connection timed out; no servers could be reached
> >>
> >> On my work Linux desktop, I can do the above lookup using 198.164.30.2
> >> and get an answer.
> >>
> >> Since the Asus router can do the lookup, I can add 192.168.0.1 to
> >> resolv.conf as a workaround, but I'm really puzzled as to why this
> >> situation exists.  Does anyone else run their own bind resolver on
> >> Bell FibreOp?  Just dealing with a bind9 resolver, not dealing with
> >> running a domain's DNS.
> >>
> >> The failure seems specific to lookup of bellaliant.net while having a
> >> Linux client talk to the Bell Aliant NS for resolving.
> >> _______________________________________________
> >> nSLUG mailing list
> >> nSLUG at nslug.ns.ca
> >> http://nslug.ns.ca/mailman/listinfo/nslug
> >
> >
> >
> >
> > --
> > George N. White III <aa056 at chebucto.ns.ca>
> > Head of St. Margarets Bay, Nova Scotia
> >
> > _______________________________________________
> > nSLUG mailing list
> > nSLUG at nslug.ns.ca
> > http://nslug.ns.ca/mailman/listinfo/nslug
> >
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug
>



-- 
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20150817/ba79594e/attachment.html>


More information about the nSLUG mailing list