[nSLUG] resolving bellaliant.net while on fibreop

Jack Warkentin jwark at bellaliant.net
Tue Aug 18 12:19:00 ADT 2015


Hi Everybody

If I understand correctly, the problem is that the domainname 
bellaliant.net is not being resolved using nslookup, dig, and host when 
running a home linux system connected to Bell Aliant's FibreOp.

Well, I am running Debian Wheezy and my ISP is indeed Bell Aliant's 
FibreOp. Internet access is provided by the wireless router provided by 
the ISP.

I don't use bind9. I use unbound instead.

Here are the results that I get.

$ nslookup bellaliant.net
Server:		192.168.2.1
Address:	192.168.2.1#53

Non-authoritative answer:
Name:	bellaliant.net
Address: 70.33.239.144

$ dig bellaliant.net

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> bellaliant.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52619
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;bellaliant.net.			IN	A

;; ANSWER SECTION:
bellaliant.net.		600	IN	A	70.33.239.144

;; AUTHORITY SECTION:
bellaliant.net.		86400	IN	NS	dns-nb00.aliant.net.
bellaliant.net.		86400	IN	NS	dns-ns00.aliant.net.

;; Query time: 8 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Tue Aug 18 12:03:33 2015
;; MSG SIZE  rcvd: 101

$ host bellaliant.net
bellaliant.net has address 70.33.239.144
bellaliant.net mail is handled by 10 mx.bellaliant.net.

Hope this helps.

Regards

Jack

D G Teed wrote:
> On Mon, Aug 17, 2015 at 3:42 PM, George N. White III<gnwiii at gmail.com>  wrote:
>> On Sun, Aug 16, 2015 at 8:03 PM, D G Teed<donald.teed at gmail.com>  wrote:
>>>
>>> On Sun, Aug 16, 2015 at 4:17 PM, George N. White III<gnwiii at gmail.com>
>>> wrote:
>>>> On Sun, Aug 16, 2015 at 9:22 AM, D G Teed<donald.teed at gmail.com>  wrote:
>>>>
>>>>> Setup:
>>>>>
>>>>> fibreop home ISP
>>>>>
>>>>> Two Linux systems behind Asus router cannot resolve
>>>>> bellaliant.net using bind9 (host,nslookup or dig)
>>>>>
>>>>> e.g. host bellaliant.net 192.168.0.10
>>>>> where 192.168.0.10 is my Linux box.
>>>>>
>>>>> Linux systems can resolve bellaliant.net using 8.8.8.8 as resolver
>>>>>
>>>>> Windows system also behind Asus router can resolve bellaliant.net
>>>>> using Linux systems as resolver - testing with nslookup on Windows
>>>>>
>>>>> Asus router can resolve bellaliant.net using nslookup on router
>>>>> (Merlin firmware)
>>>>>
>>>>> Linux systems behind router can resolve random domains to lookup, such
>>>>> as cbc.ca or england.com
>>>>>
>>>>> dig with +trace on Linux ends like this:
>>>>>
>>>>> ;; Received 489 bytes from 199.7.83.42#53(199.7.83.42) in 982 ms
>>>>>
>>>>> bellaliant.net. 172800 IN NS dns-nb00.aliant.net.
>>>>> bellaliant.net. 172800 IN NS dns-ns00.aliant.net.
>>>>> ;; Received 117 bytes from 192.54.112.30#53(192.54.112.30) in 10142 ms
>>>>>
>>>>> ;; connection timed out; no servers could be reached
>>>>>
>>>>
>>>>
>>>> "dig<host>  +trace" adds "+dnssec".   "Applications don't necessarily
>>>> need
>>>> DNSSEC support to benefit from it. If the local nameserver is configured
>>>> to
>>>> make DNSSEC mandatory, then the applications will receive a SERVFAIL
>>>> error
>>>> trying to access any domain that is DNSSEC enabled if the signature data
>>>> isn't valid."  See: https://wiki.debian.org/DNSSEC
>>>>
>>>
>>> I have the default from Debian 8, which is also in Redhat 6/7:
>>>
>>> dnssec-validation auto;
>>>
>>> In any case, there is no DS record:
>>>
>>> host -t DS bellaliant.net
>>> bellaliant.net has no DS record
>>>
>>> So they don't expect DNSSEC.  Also, the plain host lookup check
>>> without dig's +trace also fails from home, while host lookup from work
>>> succeeds.
>>>
>>> Home:
>>> host -W60 bellaliant.net 198.164.30.2
>>> ;; connection timed out; no servers could be reached
>>>
>>> Work:
>>>   host -W60 bellaliant.net 198.164.30.2
>>> Using domain server:
>>> Name: 198.164.30.2
>>> Address: 198.164.30.2#53
>>> Aliases:
>>>
>>> bellaliant.net has address 70.33.239.144
>>>
>>> It seems like Bell is somehow blocking Linux/bind client
>>> queries from their customers.  The clients work for everything
>>> else out there.
>>
>>
>> Interesting.   Do queries from Windows include some secret handshake
>> that would permit such discrimination?
>
> I'm thinking more of packet inspection stuff at the Bell end,
> which doesn't like Linux, as some sort of anti DNS DOS
> defence.  But it is conjecture.  I'd really like someone to
> try it and see if they get the same result from Bell FibreOp.
> I know there are some nslug folk on FibreOp in NS.
>
> If Windows gets by this test by using an answer from the router, the
> theory of the packet block is wrong.  I could be looking
> at a NAT problem of some sort, but it beats me as to why
> a NAT issue would be specific to look up of bellaliant.net
>
> As I said, I need more data points, thus I ask the list.
>
>
>>
>>>
>>>
>>> But thanks for reporting on the +trace quirk...
>>>
>>>>
>>>>
>>>>>
>>>>> Linux can look up dns-nb00.aliant.net and get 198.164.30.2
>>>>>
>>>>> but then:
>>>>>
>>>>> host bellaliant.net 198.164.30.2
>>>>> ;; connection timed out; no servers could be reached
>>>>>
>>>>> On my work Linux desktop, I can do the above lookup using 198.164.30.2
>>>>> and get an answer.
>>>>>
>>>>> Since the Asus router can do the lookup, I can add 192.168.0.1 to
>>>>> resolv.conf as a workaround, but I'm really puzzled as to why this
>>>>> situation exists.  Does anyone else run their own bind resolver on
>>>>> Bell FibreOp?  Just dealing with a bind9 resolver, not dealing with
>>>>> running a domain's DNS.
>>>>>
>>>>> The failure seems specific to lookup of bellaliant.net while having a
>>>>> Linux client talk to the Bell Aliant NS for resolving.
>>>>> _______________________________________________
>>>>> nSLUG mailing list
>>>>> nSLUG at nslug.ns.ca
>>>>> http://nslug.ns.ca/mailman/listinfo/nslug
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> George N. White III<aa056 at chebucto.ns.ca>
>>>> Head of St. Margarets Bay, Nova Scotia
>>>>
>>>> _______________________________________________
>>>> nSLUG mailing list
>>>> nSLUG at nslug.ns.ca
>>>> http://nslug.ns.ca/mailman/listinfo/nslug
>>>>
>>> _______________________________________________
>>> nSLUG mailing list
>>> nSLUG at nslug.ns.ca
>>> http://nslug.ns.ca/mailman/listinfo/nslug
>>
>>
>>
>>
>> --
>> George N. White III<aa056 at chebucto.ns.ca>
>> Head of St. Margarets Bay, Nova Scotia
>>
>> _______________________________________________
>> nSLUG mailing list
>> nSLUG at nslug.ns.ca
>> http://nslug.ns.ca/mailman/listinfo/nslug
>>
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug
>

-- 
Jack Warkentin, phone 902-404-0457, email jwark at bellaliant.net
39 Inverness Avenue, Halifax, Nova Scotia, Canada, B3P 1X6


More information about the nSLUG mailing list