DNS & network news

Monthly Archive: June 2015

DNSBL — what do the pros do?

For nearly a month now, my domain (brinckerhoff.org) has been DNSBL’ed by sbcglobal.net MX hosts:

XXXXX@sbcglobal.net: host al-ip4-mx-vip2.prodigy.net[] said: 553 5.3.0 alph167 DNSBL:RBL 521< XXX.XXX.XXX.XXX is_blocked._For_information_see_http://att.net/blocks (in reply to MAIL FROM command)

(NB: XXX’s replace actual text, but if you have half a brain you can just look up my MX record…)

I’ve filled out their forms, and I’ve sent them e-mail, and I’ve gotten no response whatsoever. So here’s my question: what do the professionals do, here? It appears that they run their own DNSBL, and there’s literally no way to get in touch with these guys.

submitted by jbclements
[link] [comment]

Powered by WPeMatico

Update on joker and secure dns implementation -war stories and working dnssec

Hello in https://www.reddit.com/r/dns/comments/38scdv/looking_for_just_a_dnssec_dns_provider_not_a/ I asked for a dnssec hosting service as joker my registrar can do dnssec but not using joker nameservers.

I had a slightly odd experience with some dmarc records and one supplier who was using windows software and told me that my html form on there website would not allow me to send that question. I am a linux person so supporting a dns firm that had windows server software was a snowing in hell event.

I opted for rage4.com as the new dns provider as i have no idea how many queries i get coming from joker and if that gets too expensive then i can change dns providers to one of those fixed price options.

I recreated the zone file (really nice), thought about it for a week and decided to switch from joker nameservice to rage4, and do dnssec (very easy at rage4.

I did the change on a saturday and got joker confirmation of the changes, and then it sort of went wrong as the dns change did not recognise at my tld which is dnssec signed.

However i had zones so i asked joker what i did wrong and the dnskeys and nameserver change was resubmitted. Somehow it worked a second attempt but dont ask me why it failed.

Dnssec was on and i was 50% there and dnsviz is great help as a tool.

You need a ksk (key signing key) and zsk (zone signing key) The rage dnssec tells you most of the info with the public key for the domain not however how it might stick together.

Joker wants kd-alg kd flags kd protocol and kd pubkey (in service zone)

kd -alg is 7 which is rsasha1 from the settings at rage -flags should be (zsk)256 and (ksk)257 – settings from rage kd-protocol is 3 which seems to convert to rsa-sha-nsec3 – seems to be the only value joker likes kd-pubkey is a long string rage provide

So you have two entries for dnsec at joker 7.256 3 [public key] 7 257 3 [public key]

I was missing the 257 line so there was no key to connect to the tld until i added the 257 line from above.

Some non joker registrars use an algorithm digest rsaha1 and rsasha256 but those are not used in joker

I had no further problems after that either with joker, or rage although our ddwrt router is a bit lazy, so i pointed the dnssec firefox plugin from .cz to a local bind server and it turns green.

As a first time at doing dnssec this was educational if not perfect but with the wrong nameservers that was actually ok i am not sure how much of that is me, or the exchange between my registrar and the tld.

There are other dns hosters out there, its early days but i hope this might help somebody

submitted by bananasfk
[link] [4 comments]

Powered by WPeMatico

Seemingly random PCs not registering with DNS

So we’ve got a bit of a strange thing happening in our network at the moment. There’s been an increasing number of PCs begin to appear as though they are offline (our users receive an email to the department that the offline PC is in) despite them being online with full network access. It looks like for whatever reason, these PCs just aren’t registering with DNS, despite there being no differences between them and other PCs that never encounter this problem. Running ipconfig /registerdns fixes the problem without fail, however it would be good to know what the root cause of the issue is. Does anyone have any insights into this?

submitted by chrem93
[link] [comment]

Powered by WPeMatico

Non-optimal results from local caching server to CDN's?

I have a bind server setup on my home LAN. There is a private tld for my local network and I have a forwarder setup for my work domain so that I can forward those lookup over a VPN to get the internal view in our split DNS setup there. That’s pretty much it.. simple.

The other day troubleshooting a huge latency issue with my home ISP I noticed my ping time to google seemed unusually high even when there was no issue (~30-40ms). That’s obviously not causing any noticeable problems but I’d expect better than that from them. So I did a local dig lookup against google DNS which gave me different results, and ping those I see latency of around 15ms.

Does anyone know why/how this could happen and how to resolve? My understanding is that CDN’s/Anycast DNS will return the closest results relative to the resolver, not the requester (which it can’t see). In this case the resolver is local to my network so should be absolutely optimal.

submitted by diito
[link] [3 comments]

Powered by WPeMatico