[nSLUG] resolving bellaliant.net while on fibreop

D G Teed donald.teed at gmail.com
Mon Aug 17 16:12:39 ADT 2015


On Mon, Aug 17, 2015 at 3:42 PM, George N. White III <gnwiii at gmail.com> wrote:
> On Sun, Aug 16, 2015 at 8:03 PM, D G Teed <donald.teed at gmail.com> wrote:
>>
>> On Sun, Aug 16, 2015 at 4:17 PM, George N. White III <gnwiii at gmail.com>
>> wrote:
>> > On Sun, Aug 16, 2015 at 9:22 AM, D G Teed <donald.teed at gmail.com> wrote:
>> >
>> >> Setup:
>> >>
>> >> fibreop home ISP
>> >>
>> >> Two Linux systems behind Asus router cannot resolve
>> >> bellaliant.net using bind9 (host,nslookup or dig)
>> >>
>> >> e.g. host bellaliant.net 192.168.0.10
>> >> where 192.168.0.10 is my Linux box.
>> >>
>> >> Linux systems can resolve bellaliant.net using 8.8.8.8 as resolver
>> >>
>> >> Windows system also behind Asus router can resolve bellaliant.net
>> >> using Linux systems as resolver - testing with nslookup on Windows
>> >>
>> >> Asus router can resolve bellaliant.net using nslookup on router
>> >> (Merlin firmware)
>> >>
>> >> Linux systems behind router can resolve random domains to lookup, such
>> >> as cbc.ca or england.com
>> >>
>> >> dig with +trace on Linux ends like this:
>> >>
>> >> ;; Received 489 bytes from 199.7.83.42#53(199.7.83.42) in 982 ms
>> >>
>> >> bellaliant.net. 172800 IN NS dns-nb00.aliant.net.
>> >> bellaliant.net. 172800 IN NS dns-ns00.aliant.net.
>> >> ;; Received 117 bytes from 192.54.112.30#53(192.54.112.30) in 10142 ms
>> >>
>> >> ;; connection timed out; no servers could be reached
>> >>
>> >
>> >
>> > "dig <host> +trace" adds "+dnssec".   "Applications don't necessarily
>> > need
>> > DNSSEC support to benefit from it. If the local nameserver is configured
>> > to
>> > make DNSSEC mandatory, then the applications will receive a SERVFAIL
>> > error
>> > trying to access any domain that is DNSSEC enabled if the signature data
>> > isn't valid."  See: https://wiki.debian.org/DNSSEC
>> >
>>
>> I have the default from Debian 8, which is also in Redhat 6/7:
>>
>> dnssec-validation auto;
>>
>> In any case, there is no DS record:
>>
>> host -t DS bellaliant.net
>> bellaliant.net has no DS record
>>
>> So they don't expect DNSSEC.  Also, the plain host lookup check
>> without dig's +trace also fails from home, while host lookup from work
>> succeeds.
>>
>> Home:
>> host -W60 bellaliant.net 198.164.30.2
>> ;; connection timed out; no servers could be reached
>>
>> Work:
>>  host -W60 bellaliant.net 198.164.30.2
>> Using domain server:
>> Name: 198.164.30.2
>> Address: 198.164.30.2#53
>> Aliases:
>>
>> bellaliant.net has address 70.33.239.144
>>
>> It seems like Bell is somehow blocking Linux/bind client
>> queries from their customers.  The clients work for everything
>> else out there.
>
>
> Interesting.   Do queries from Windows include some secret handshake
> that would permit such discrimination?

I'm thinking more of packet inspection stuff at the Bell end,
which doesn't like Linux, as some sort of anti DNS DOS
defence.  But it is conjecture.  I'd really like someone to
try it and see if they get the same result from Bell FibreOp.
I know there are some nslug folk on FibreOp in NS.

If Windows gets by this test by using an answer from the router, the
theory of the packet block is wrong.  I could be looking
at a NAT problem of some sort, but it beats me as to why
a NAT issue would be specific to look up of bellaliant.net

As I said, I need more data points, thus I ask the list.


>
>>
>>
>> But thanks for reporting on the +trace quirk...
>>
>> >
>> >
>> >>
>> >> Linux can look up dns-nb00.aliant.net and get 198.164.30.2
>> >>
>> >> but then:
>> >>
>> >> host bellaliant.net 198.164.30.2
>> >> ;; connection timed out; no servers could be reached
>> >>
>> >> On my work Linux desktop, I can do the above lookup using 198.164.30.2
>> >> and get an answer.
>> >>
>> >> Since the Asus router can do the lookup, I can add 192.168.0.1 to
>> >> resolv.conf as a workaround, but I'm really puzzled as to why this
>> >> situation exists.  Does anyone else run their own bind resolver on
>> >> Bell FibreOp?  Just dealing with a bind9 resolver, not dealing with
>> >> running a domain's DNS.
>> >>
>> >> The failure seems specific to lookup of bellaliant.net while having a
>> >> Linux client talk to the Bell Aliant NS for resolving.
>> >> _______________________________________________
>> >> nSLUG mailing list
>> >> nSLUG at nslug.ns.ca
>> >> http://nslug.ns.ca/mailman/listinfo/nslug
>> >
>> >
>> >
>> >
>> > --
>> > George N. White III <aa056 at chebucto.ns.ca>
>> > Head of St. Margarets Bay, Nova Scotia
>> >
>> > _______________________________________________
>> > nSLUG mailing list
>> > nSLUG at nslug.ns.ca
>> > http://nslug.ns.ca/mailman/listinfo/nslug
>> >
>> _______________________________________________
>> nSLUG mailing list
>> nSLUG at nslug.ns.ca
>> http://nslug.ns.ca/mailman/listinfo/nslug
>
>
>
>
> --
> George N. White III <aa056 at chebucto.ns.ca>
> Head of St. Margarets Bay, Nova Scotia
>
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug
>


More information about the nSLUG mailing list