[nSLUG] resolving bellaliant.net while on fibreop

D G Teed donald.teed at gmail.com
Tue Aug 18 19:53:11 ADT 2015


Hi again,

Thanks Jack and Johann for checking your FibreOp results.

The situation is similar to several articles, like this stack exchange one:

http://serverfault.com/questions/649289/bind-not-able-to-query-some-servers-domains

I've determined it isn't a bind issue, but either something wacky with
NAT on the Asus router with merlin firmware, or like the above article
concluded, something
going on with IDS at Aliant.  I'm not using the Bell Aliant supplied
ActionTec router, due to it having telnet open (common to 23% of the
IPs in my range).

The end of the trip where it fails is talking to the DNS server at Bell Aliant.

Linux client:

# host bellaliant.net 142.177.1.2
;; connection timed out; no servers could be reached

Windows client:

>nslookup bellaliant.net 142.177.1.2
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  142.177.1.2

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

Asus router:

admin at RT-N66U:/tmp/home/root# nslookup bellaliant.net 142.177.1.2
Server:    142.177.1.2
Address 1: 142.177.1.2 dns-ns00.aliant.net

Name:      bellaliant.net
Address 1: 70.33.239.144

It seems unlikely to be a NAT issue as any other lookup I test is
fine.  But it is a possibility if there was something unusual for the
case of bellaliant.net.

The article suggested doing a traceroute with UDP 53.

This is the result from Linux:

# traceroute -U -p 53 dns-ns00.aliant.net
traceroute to dns-ns00.aliant.net (142.177.1.2), 30 hops max, 60 byte packets
 1  clark.localdomain.domain (192.168.0.1)  0.292 ms  0.430 ms  0.676 ms
 2  loop0.6cw.ba17.hlfx.ns.aliant.net (142.176.50.10)  12.320 ms
12.360 ms  12.463 ms
 3  BVI83.cr01.hlfx.ns.aliant.net (142.176.53.34)  12.923 ms  13.021
ms irb-84.cr02.hlfx.ns.aliant.net (142.176.53.49)  12.383 ms
 4  fwint-ns90-v0.aliant.net (142.176.6.250)  12.568 ms  12.609 ms  12.703 ms
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

I'm thinking fwint-ns90 is likely "firewall internal", meaning it is
taking care of
protection from the customers, not from the Internet.  If I do the same trace
with another DNS server, say  a5-65.akam.net for a lookup of CBC.CA,
it does trace OK.  I don't see how to make the busybox traceroute in the router
do the same type of trace, but I suspect it makes it.

I might set up a forwarder line for bellaliant.net in my bind configuration.


More information about the nSLUG mailing list