DNS & network news

Monthly Archive: March 2017

Global Anycast DNS Providers which accept AXFR/IXFR

Am evaluating Global Anycast DNS providers which can operate as “slaves” via the standard AXFR/IXFR protocol (so we can manage via hidden master).

Dyn and Akamai FastDNS both support AXFR/IXFR and have a very good global footprint for their anycast network.

Any other providers I should be considering? I don’t think either Route53 or Google DNS support domain transfers currently…

Thanks!

submitted by /u/rvdolson
[link] [comments]

Powered by WPeMatico

AT&T U verse

I’ve been running with Google Public DNS (Windows side) for over a year with no issues. Today, several sites would not connect (Reddit among them). I changed my DNS to DHCP to use AT&T and they works fine. I then changed to OPEN DNS and it’s fine.

Any ideas as to why all of the sudden Google DNS no longer works? I was streaming from a movie site when it went down so I panicked a bit. I can ping 8.8.8.8 with no issues but it won’t resolve websites.

submitted by /u/slugger1412
[link] [comments]

Powered by WPeMatico

Strange DNS issue with Google Ads

I run a bind instance at home, mainly just to tinker and do some rudimentary DNS filtering on my kids’ devices.

Recently, I’ve been getting Chrome “Certificate Revoked” errors every time I click on an ad. I checked the cert, and it’s a Startcom cert, which most browsers have started rejecting due to some shenanigans in the way the company was issuing certs.

Strange.

So the name on the cert is “pacy01.pacyworld.com”. Pacyworld looks like a small web host in Florida. The domain Google uses to redirect its ads is www.googleadservices.com. This is a CNAME for pagead.l.doubleclick.net.

My bind instance is set with Google’s public DNS servers as forwarders (8.8.8.8 and 8.8.4.4).

My bind cache has this domain name (pagead.l.doubleclick.net) resolving to 63.247.147.167 corresponding to pacy01.pacyworld.com. The TTL is also 1 day, as opposed to short TTLs on most of Google’s records (like 300s). If I dig at Google’s public DNS servers, I get consistently different results (always Google IPs)

So, I clear my bind cache and everything is OK for a while. But due to the short TTLs on the “correct” responses, eventually, that rogue entry winds up in the cache again and stays there for 24h, leading to cert errors every time someone clicks an ad.

Is it possible Google has misconfigured their DNS for this domain, or is something happening in my network which is leading to this incorrect entry continuing to reappear in my bind cache.

I don’t really understand the mechanics of cache poisoning, but could I have something in my network that would poison the cache of an internal resolver? My understanding of cache poisoning is that it affects public resolvers, but like I said, my understanding is pretty limited.

Any ideas?

submitted by /u/bellwoodian
[link] [comments]

Powered by WPeMatico

Newb Question

I recently installed WordPress on an ec2 instance using BitnAMI and all was well but running a bit slow after I setup the elastic IP for the domain dns settings. I stopped the instance to upgrade the instance type hoping this would help, and when I restarted the instance the site and admin site would no longer load. Am i doomed or is there a simple fix to this? As a note, I did not back up anything (though still unsure if I was supposed to..) Any help would be super appreciated!

submitted by /u/geltmelt
[link] [comments]

Powered by WPeMatico

Will using DNS to redirect a subdomain to an internal server where our web app is hosted cause problems when trying to access our TLD from within our network?

I am currently deploying a web app that I built for a small business. The app is intended for use exclusively from within the company’s internal network. It uses “Log in with Google” to authenticate users since the company uses Google’s G Suite (employees have their employee@company.com email through Google). This way users can just use their existing email account to access the app instead of having to create a new account. To use Google’s auth platform, you have to register your app with Google and specify an address from which the auth request will originate.

Since the app is for internal use only, we configured the DNS to direct app.company.local to the servers IP address. The app works fine initially but breaks when attempting to authenticate because Google does not consider either app.company.local/google or 192.168.x.x/google as valid request originators. The following error is displayed:

Error: invalid_request Invalid parameter value for redirect_uri: .local URIs not allowed

or

Invalid Redirect: http://x.x.x.x [redacted] must end with a public top-level domain (such as .com or .org)

The following Stack Overflow question provides a solution for development environments, however, for deployment, modifying the host files of all the company’s computers does not seem feasible.

The company has a company.com domain name which serves the company’s website. To solve our problem, we’re thinking of configuring our DNS to use a sub-domain such as app.companyname.com to redirect to our local server hosting the web app when accessed from within the company’s network. This would solve our problem with Google’s auth. However, this raised the concern that if app.companyname.com redirects to the app’s server, then trying to access companyname.com from within our network will also redirect to the server and not to the company website. This does not sound correct to me since we’d only configure the DNS for app.companyname.com to redirect to the app’s server and not companyname.com but I don’t know enough about the topic to confirm or deny this. My background is in programming so I am kind of lost on networking topics. Any help is greatly appreciated.

submitted by /u/greatstuffb
[link] [comments]

Powered by WPeMatico

Is my router intercepting DNS queries?

Hi all, DNS noob here.

It looks like the router is intercepting and tinkering with DNS queries. Can someone verify this or am I too paranoid and there is just some misconfiguration on my side? Here is my setup:

  • Router/Gateway/DHCP-server @ 192.168.2.1
  • Pi-Hole running dnsmasq @ 192.168.2.101
  • Client machine @ 192.168.2.103

Pi-hole with dnsmasq is configured to use Google’s DNS at 8.8.8.8 as the upstream DNS server. Queries for domains not on the blacklist should be forwarded to the upstream DNS server. Unexpectedly, it gets forwarded to my provider’s DNS servers (which the Pi-Hole should know nothing about):

$ dig google.com +norecurse ; <<>> DiG 9.8.3-P1 <<>> google.com +norecurse ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55833 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;google.com. IN A ;; AUTHORITY SECTION: . 3600 IN NS FWDR-227.FWDR-16.FWDR-95.FWDR-176. . 3600 IN NS FWDR-251.FWDR-16.FWDR-95.FWDR-176. ;; ADDITIONAL SECTION: FWDR-227.FWDR-16.FWDR-95.FWDR-176. 3600 IN A 176.95.16.227 FWDR-251.FWDR-16.FWDR-95.FWDR-176. 3600 IN A 176.95.16.251 ;; Query time: 13 msec ;; SERVER: 192.168.2.101#53(192.168.2.101) ;; WHEN: Sun Mar 19 15:03:31 2017 ;; MSG SIZE rcvd: 194 

And this is what I see in the pi-hole logs:

Mar 19 15:03:31 dnsmasq[3818]: query[A] google.com from 192.168.2.103 Mar 19 15:03:31 dnsmasq[3818]: forwarded google.com to 8.8.8.8 

Strange, huh? Is there any other explanation apart from the router exchanging the Google DNS server by my provider's DNS servers in the "ADDITIONAL SECTION"?

Cheers & Thanks

submitted by /u/huepfburg
[link] [comments]

Powered by WPeMatico

How can I speed up my users' DNS resolution?

A recent test my company conducted showed that at the 95th percentile, DNS lookups of my site’s domain take about 1.1s. Our target for our page starting to render at p95 is 1s so obviously 1.1s for DNS is a problem. What can I do to speed it up?

We use AWS. Our domain in Route 53 is pointing to an elastic load balancer. Because of how ELBs work, the TTL on the domain must be set at 60s. So this eliminates setting a longer TTL as a way of “speeding DNS up” (really, reducing the number of slow lookup).

What other options do I have? Stopping using Route 53 + ELB is a possibility but if there’s a way to keep using it, that would be much preferred.

submitted by /u/sandinmyjoints
[link] [comments]

Powered by WPeMatico