DNS & network news

Author Archive: firstdns

Lower network latency for new-style TLDs? Are there any benchmarks or general insights?

I’m wondering if any of the new / long-form TLDs have typically lower-latency than classic ‘prime’ TLDs of olde.

I understand that some countries could have higher latency, if they’ve made all DNS bottleneck through the country. I don’t really know how propogation happens across all/most/many of them. Which major DNS sign up for all TLDs, or which they defer (is that even right?)

Is .xyz slower or faster than most? What about .bank, etc? Compared with .mk or .az?

I’m sure there’s tons of naivety in what i’m asking. Thanks for any bits you know, or bigger picture insight.

submitted by /u/NewAlexandria
[link] [comments]

Powered by WPeMatico

Microsoft Protection blocking my company email – DNS problem?

Hi, Over the past few years I have seen every company using Microsoft Outlook Protection, reject our company email. In each case I had to ask the company admin to white list us. This only happens with Microsoft as far as I know. Our IP address is not on any DNSRBL.

The reject message from them was :

Recipient address rejected: Access denied. AS(201806281) [DB5EUR01FT045.eop-EUR01.prod.protection.outlook.com] (in reply to RCPT TO command) Diagnostic-Code: smtp; 550 5.4.1 Recipient address rejected: Access denied. AS(201806281) [DB5EUR01FT045.eop-EUR01.prod.protection.outlook.com] 

I image that my DKIM/SPF records are misread. However they look good to me.

I would be very grateful if someone could just tell me if they are ok, or not.

$ dig -t txt klunky.co.uk @dns1.p07.nsone.net|grep TXT ;klunky.co.uk. IN TXT klunky.co.uk. 600 IN TXT "v=spf1 mx a a:elk.klunky.co.uk -all" klunky.co.uk. 600 IN TXT "spf2.0/mfrom a mx a:elk.klunky.co.uk ~all" $ dig -t txt klunky.co.uk @ns3.he.net|grep TXT ;klunky.co.uk. IN TXT klunky.co.uk. 1800 IN TXT "v=spf1 mx a a:elk.klunky.co.uk -all" klunky.co.uk. 1800 IN TXT "spf2.0/mfrom a mx a:elk.klunky.co.uk ~all" klunky.co.uk. 1800 IN TXT "google-site-verification=REDATED" 

The main records are hosted on NSone, but there exists backup records on Hurricane Electric. The domain register only has Hurricane Electric registered, which is odd. NSone is not listed.

Any help would be very much appreciated.

Regards, GK

submitted by /u/girlkettle
[link] [comments]

Powered by WPeMatico

Unbound inside jail on a FreeBSD VM not working (x-post from /r/unbound)

I have installed and run unbound on two bare metal colocated FreeBSD servers for years now. When I transitioned from running BIND (which operated simultaneously as an authoritative and a recursive lookup server) to NSD and Unbound, I was faced with running both daemons needing to run on one machine, but independently answer queries on port 53. The colocated boxes have a /29 so the simplest solution was to run NSD on the host and a copy of Unbound in a jail with a 2nd IP address. I remember setup being pretty straightforward and this has worked fine for quite sometime.

Early on with these bare metal servers, I made the mistake of trying to use FreeBSD’s built-in local_unbound as a lookup server available for outside queries (albeit constrained to certain IP blocks I would be making outside queries from). I soon discovered local_unbound was a scaled-down version of unbound and was not really meant to be used for outside queries. It’s really just meant to be used by the server to do lookups itself. But again, in the end, running a stock version of unbound in a jail worked fine.

Now I am trying to run unbound in my home on my LAN. I have a Windows 10 machine as a host running Virtualbox as the hypervisor with FreeBSD 12 in a VM. We’ll call this FreeBSD VM freebsd.mylan.local henceforth.

In Virtualbox, I configured the freebsd.mylan.local VM to have one *bridged* virtual network adapter. Within FreeBSD, it appeared as em0 and I hardcoded it a LAN IP of 192.168.1.150.

I then created a jail called lookup.mylan.local with an IP of 192.168.1.151. When starting the jail (using ezjail-admin), I found that the jail’s IP had been bound to the one adapter (em0). When I ran ifconfig on freebsd.mylan.local, as long as the jail is running, the jail IP appeared just below the VM’s main IP, similar to if I had manually added an alias IP to /etc/rc.conf. This is also how it shows on my bare metal colos:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE> ether ab:cd:ef:01:02:03 inet 192.168.1.150 netmask 0xffffff00 broadcast 192.168.1.255 inet 182.168.1.151 netmask 0xffffffff broadcast 192.168.1.151 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active 

Within the jail, I used pkg install to install a stock version of unbound. I downloaded root.hints and started the unbound service. I confirmed the unbound service was running with *service unbound status* and *ps auxw | grep unbound*.

I then used pkg to install bind-tools, so I could use nslookup for testing. When I ran nslookup from within the jail itself, I get:

root@lookup:~ # nslookup > server 192.168.1.151 Default server: 192.168.1.151 Address: 192.168.1.151#53 > amiga.com Server: 192.168.1.151 Address: 192.168.1.151#53 ** server can't find amiga.com: REFUSED > server 127.0.0.1 Default server: 127.0.0.1 Address: 127.0.0.1#53 > amiga.com ;; reply from unexpected source: 192.168.1.151#53, expected 127.0.0.1#53 ;; reply from unexpected source: 192.168.1.151#53, expected 127.0.0.1#53 ;; reply from unexpected source: 192.168.1.151#53, expected 127.0.0.1#53 ;; connection timed out; no servers could be reached 

If I make the same query from freebsd.mylan.local, I get the same failures.

BTW even with verbosity set to 5, if I tail my log file, nothing shows up in the logs when attempting these queries.

So then I went back out to Virtualbox’s settings and created a second virtual network adapter, also in bridged mode. Then on freebsd.mylan.local I edited this line in /usr/local/etc/ezjail/lookup_mylan.local:

export jail_lookup_mylan_local_ip="em1|192.168.1.151" 

I then restarted the jail and confirmed unbound was watching. ifconfig now looked like this:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=81009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER> ether 08:00:27:49:50:47 inet 192.168.1.150 netmask 0xffffff00 broadcast 192.168.1.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=81009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER> ether 08:00:27:4a:e7:fd inet 192.168.1.151 netmask 0xffffffff broadcast 192.168.1.151 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> 

However I ran the same nslookup queries again and get the same failures. Would appreciate any input because I am now stumped.

In the meantime here are my config files:

/usr/jails/lookup.mylan.local/usr/local/etc/unbound/unbound.conf

/usr/local/etc/ezjail/lookup_mylan_local

EDIT: SOLVED

submitted by /u/fongaboo
[link] [comments]

Powered by WPeMatico

Windows Server DNS – EDNS Client Subnet Option

I can’t find anything in the MSFT Documentation about this, so I’m hoping someone here has run into this. I’ve searched /r/dns and a few other subreddits and haven’t found anything like this.

TL;DR – Does anyone happen to know if EDNS Client Subnet option will be forwarded by Windows Server 2012 R2 DNS Server?

Context:

I have an environment where I am setting up a GSLB configuration on a set of load-balancers in a few different geographical locations. We have a handful of distributed Server 2012 R2 DNS servers supporting this, forwarding requests to DNS Services on the load-balancer for any delegated records. It all works fine doing round-robin load-balancing, detecting service health, etc., and resolving the most appropriate IP based on the conditions. Now we are trying to look at leveraging EDNS Client Subnet to support a few specific applications.

What we’re finding is that we can send requests to the DNS servers that include the EDNS Client Subnet option, but they appear to be dropping it when they (the Windows DNS Server) forward the request to the load-balancers. All of the DNS Servers are 2012 R2. Packet capture shows the request hitting the server including the request, then when the server forwards it to the load-balancer, the option is no longer there.

Looking into this we can’t find anything about support for this option in Windows Server, outside of Server 2016 stating that it can be used with DNS Policies for different resolution configurations within Windows DNS Server itself. Previous versions all state they support EDNS0 and that’s about it. We have validated that EDNS Probes and Reception settings are both enabled on the servers.

submitted by /u/Practical_Coyote
[link] [comments]

Powered by WPeMatico