Re: Issue with AT&T IPs?
I would say route advertisements for the failing addresses are not making it the point in the network where traceroute fails. At this point you need to see if you can find a looking glass for that net to check the BGP route announcements for the failing addresses and possibly escalate to that net’s NOC. Again if the servers were at different places in the net there is a chance that this routing issue would not cause a DNS lookup failure as the second server would be on a different path. Mark > On 6 Dec 2017, at 7:20 am, Lightner, Jeffrey wrote: > > I don't disagree with what you say about nameserver diversity but don't feel > that is the issue here and is missing the point in my question. > > I'd already eliminated "lookup" of the DNS servers by going straight to the > IP they share. > > Connections from locations outside our network to that IP port 53 and > traceroute to that IP work (as they apparently did for both of you). > > Connections outbound from our QTS IPs also work. > > It is only connections outbound from our AT&T IPs that seem to fail. > > This makes it look like the issue is specifically something to do with AT&T > IPs.There have been no attempts I've made that failed anywhere except > from the AT&T IPs. If it were some temporary "down" of their IP causing a > timeout then going to second name server I'd expect that to affect the non > AT&T outbound IPs or external lookups as well but as I said I'm not seeing it > anywhere else. > > When we do traceroute we are seeing multiple hops either way but once we get > to the same hop on both the QTS based IPs proceed to the name server and the > AT&T based IPs do not. Since paths either way do multiple hops outside > our network it appears it isn't our network that is the issue but something > with AT&T. > > I'd sent more detail but the mailing list as usual said "your message awaits > moderator approval" because it is too large. I've never yet seen any such > moderator approval email either approved or denied in the past so doubt I'll > see it this time. > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Issue with AT&T IPs?
I don't disagree with what you say about nameserver diversity but don't feel that is the issue here and is missing the point in my question. I'd already eliminated "lookup" of the DNS servers by going straight to the IP they share. Connections from locations outside our network to that IP port 53 and traceroute to that IP work (as they apparently did for both of you). Connections outbound from our QTS IPs also work. It is only connections outbound from our AT&T IPs that seem to fail. This makes it look like the issue is specifically something to do with AT&T IPs.There have been no attempts I've made that failed anywhere except from the AT&T IPs. If it were some temporary "down" of their IP causing a timeout then going to second name server I'd expect that to affect the non AT&T outbound IPs or external lookups as well but as I said I'm not seeing it anywhere else. When we do traceroute we are seeing multiple hops either way but once we get to the same hop on both the QTS based IPs proceed to the name server and the AT&T based IPs do not. Since paths either way do multiple hops outside our network it appears it isn't our network that is the issue but something with AT&T. I'd sent more detail but the mailing list as usual said "your message awaits moderator approval" because it is too large. I've never yet seen any such moderator approval email either approved or denied in the past so doubt I'll see it this time. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issue with AT&T IPs?
Am 05.12.2017 um 20:21 schrieb Barry S. Finkel: The problem is not with the "two" name servers for the domain you are trying to reach. Note the quotation marks. I was able to contact the ONE IP address and get a DNS response. If, for some reason, you do not have a path to that IP address, you will not get a response. And, there is no fall-back, as both name servers are on the same IP address indeed and so one more running nameservices without basic competence you have to have *two* nameservers on *different* networks to avoid exactly this happening, be it by routing troubles, line down, machine down or whatever and if you can't do that just use a dns provider, no matter which one, he does it better [harry@srv-rhsoft:~]$ nslookup NS1.QUICKFIX8.COM Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: NS1.QUICKFIX8.COM Address: 74.124.202.236 [harry@srv-rhsoft:~]$ nslookup NS2.QUICKFIX8.COM Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: NS2.QUICKFIX8.COM Address: 74.124.202.236 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issue with AT&T IPs?
On 12/5/2017 "Lightner, Jeffrey" wrote: We're having issues send email to a user @SIDDHAFLOWERS.COM Investigation here shows that the issue we have is querying your name servers (both by name and by IP) are refusing to respond to our name servers. Their name servers: NS1.QUICKFIX8.COM NS2.QUICKFIX8.COM Our name servers: DSWADNS1.WATER.COM DSWADNS2.WATER.COM We find other name servers such as those as Google are able to query their name servers. Based on that I determined their name server IP (for both) is 74.124.202.236. However, if I attempt to reach port 53 (DNS) on that IP from our name servers it simply fails to connect. Our Network Security engineer did a capture and shows we send packets but never get a response. Interestingly further testing shows this is an issue from any of our AT&T provided IPs: 12.44.84.194 12.44.84.213 12.44.84.214 12.44.84.216 But not from separate QTS Datacenter provided IPs: 209.10.103.136 209.10.103.148 I've reached out to the folks at QuickFix and am waiting to hear back but we've seen a similar issue on another domain using separate name servers.Is it possible there is some sort of blacklist for DNS (not email) that people might be subscribing to that would cause them to block AT&T IPs? We can do queries from our DNS to most domains but have identified these 2 as problems so suspect there might be others. By the way, I can reach their mail server via command line connection to port 25 on its IP. The issue here is purely in querying the DNS servers which of course means mail programs can't determine the MX records themselves. Last night I did see some posts suggesting commenting out query-source but testing that didn't do anything. We do have our query-source setup for random outbound ports and I verified last night that it still works based on the test site for that. Most of what I find about blacklisting is about spam blacklisting of mail servers not blacklisting of DNS server queries and it is the latter we are experiencing. CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you Here is a query I just did: D:\>dig SIDDHAFLOWERS.COM mx @ns1.quickfix8.COM. ; <<>> DiG 9.9.3-P1 <<>> SIDDHAFLOWERS.COM mx @ns1.quickfix8.COM. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63456 ;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;SIDDHAFLOWERS.COM. IN MX ;; ANSWER SECTION: SIDDHAFLOWERS.COM. 14400 IN MX 1 aspmx.l.google.COM. SIDDHAFLOWERS.COM. 14400 IN MX 10 aspmx2.googlemail.COM. SIDDHAFLOWERS.COM. 14400 IN MX 5 alt2.aspmx.l.google.COM. SIDDHAFLOWERS.COM. 14400 IN MX 5 alt1.aspmx.l.google.COM. SIDDHAFLOWERS.COM. 14400 IN MX 10 aspmx3.googlemail.COM. SIDDHAFLOWERS.COM. 14400 IN MX 10 alt3.aspmx.l.google.COM. SIDDHAFLOWERS.COM. 14400 IN MX 10 alt4.aspmx.l.google.COM. ;; AUTHORITY SECTION: SIDDHAFLOWERS.COM. 86400 IN NS ns2.quickfix8.COM. SIDDHAFLOWERS.COM. 86400 IN NS ns1.quickfix8.COM. ;; ADDITIONAL SECTION: ns1.quickfix8.COM. 14400 IN A 74.124.202.236 ns2.quickfix8.COM. 14400 IN A 74.124.202.236 ;; Query time: 128 msec ;; SERVER: 74.124.202.236#53(74.124.202.236) ;; WHEN: Tue Dec 05 13:08:20 Central Standard Time 2017 ;; MSG SIZE rcvd: 296 D:\> The problem is not with the "two" name servers for the domain you are trying to reach. Note the quotation marks. I was able to contact the ONE IP address and get a DNS response. If, for some reason, you do not have a path to that IP address, you will not get a response. And, there is no fall-back, as both name servers are on the same IP address. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Issue with AT&T IPs?
DNS, by design, is generally speaking agnostic when it comes to providing answers to DNS questions. It would have to be a very deliberate edit to the "allow-query" option in the conf file to enable your construct of a "DNS blacklist". In an enterprise environment this type of defensive action seems best played at the edge where the firewalls live based upon actionable data and not in a conf file. But that is just me. I read where a packet capture was performed but does no response include absence of reset packets? What did a traceroute show? Can you place a rule to allow unfiltered traffic in and out from one of your IP's for testing? I am big fan of copying n pasting but it appears that you didn't clean it all up when composing this email the BIND group. You indicate to the admins of quickfix8.com that quickfix8.com's servers are "refusing" the query. So which is it? No response or refusing? Because getting refused answer is better than nothing at all. In the end the issue may just resolve itself. :D Good hunting. John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lightner, Jeffrey Sent: Tuesday, December 05, 2017 10:24 AM To: bind-us...@isc.org Subject: Issue with AT&T IPs? We're having issues send email to a user @SIDDHAFLOWERS.COM Investigation here shows that the issue we have is querying your name servers (both by name and by IP) are refusing to respond to our name servers. Their name servers: NS1.QUICKFIX8.COM NS2.QUICKFIX8.COM Our name servers: DSWADNS1.WATER.COM DSWADNS2.WATER.COM We find other name servers such as those as Google are able to query their name servers. Based on that I determined their name server IP (for both) is 74.124.202.236. However, if I attempt to reach port 53 (DNS) on that IP from our name servers it simply fails to connect. Our Network Security engineer did a capture and shows we send packets but never get a response. Interestingly further testing shows this is an issue from any of our AT&T provided IPs: 12.44.84.194 12.44.84.213 12.44.84.214 12.44.84.216 But not from separate QTS Datacenter provided IPs: 209.10.103.136 209.10.103.148 I've reached out to the folks at QuickFix and am waiting to hear back but we've seen a similar issue on another domain using separate name servers.Is it possible there is some sort of blacklist for DNS (not email) that people might be subscribing to that would cause them to block AT&T IPs? We can do queries from our DNS to most domains but have identified these 2 as problems so suspect there might be others. By the way, I can reach their mail server via command line connection to port 25 on its IP. The issue here is purely in querying the DNS servers which of course means mail programs can't determine the MX records themselves. Last night I did see some posts suggesting commenting out query-source but testing that didn't do anything. We do have our query-source setup for random outbound ports and I verified last night that it still works based on the test site for that. Most of what I find about blacklisting is about spam blacklisting of mail servers not blacklisting of DNS server queries and it is the latter we are experiencing. CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issue with AT&T IPs?
Hi Jeffrey, I had same kind problems with my domain "smallfusion.net". It's resolving at few places, mostly it's saying connection timed out; no servers could be reached. Well it's very strange. I'm using Cloudflare.com services with this domain. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Issue with AT&T IPs?
We're having issues send email to a user @SIDDHAFLOWERS.COM Investigation here shows that the issue we have is querying your name servers (both by name and by IP) are refusing to respond to our name servers. Their name servers: NS1.QUICKFIX8.COM NS2.QUICKFIX8.COM Our name servers: DSWADNS1.WATER.COM DSWADNS2.WATER.COM We find other name servers such as those as Google are able to query their name servers. Based on that I determined their name server IP (for both) is 74.124.202.236. However, if I attempt to reach port 53 (DNS) on that IP from our name servers it simply fails to connect. Our Network Security engineer did a capture and shows we send packets but never get a response. Interestingly further testing shows this is an issue from any of our AT&T provided IPs: 12.44.84.194 12.44.84.213 12.44.84.214 12.44.84.216 But not from separate QTS Datacenter provided IPs: 209.10.103.136 209.10.103.148 I've reached out to the folks at QuickFix and am waiting to hear back but we've seen a similar issue on another domain using separate name servers.Is it possible there is some sort of blacklist for DNS (not email) that people might be subscribing to that would cause them to block AT&T IPs? We can do queries from our DNS to most domains but have identified these 2 as problems so suspect there might be others. By the way, I can reach their mail server via command line connection to port 25 on its IP. The issue here is purely in querying the DNS servers which of course means mail programs can't determine the MX records themselves. Last night I did see some posts suggesting commenting out query-source but testing that didn't do anything. We do have our query-source setup for random outbound ports and I verified last night that it still works based on the test site for that. Most of what I find about blacklisting is about spam blacklisting of mail servers not blacklisting of DNS server queries and it is the latter we are experiencing. CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
