Re: Whitelist security.debian.org

[Pascal Hambourg]

Greencopper a écrit :
> 
> Most likely OpenDNS has some load balancing of their own perhaps forwarding
> the request to different internal servers.
> 
> Perhaps the only solution is to fix a specific IP address for
> security.debian.org in my local DNS server and then only use that!

Or don't use OpenDNS servers.

Re: Whitelist security.debian.org

[Pascal Hambourg]

Brian a écrit :
> On Thu 22 Oct 2015 at 11:44:41 +0200, Sven Hartge wrote:
> 
>> Pascal Hambourg  wrote:
>>> Greencopper a écrit :
>>  
 Most likely OpenDNS has some load balancing of their own perhaps
 forwarding the request to different internal servers.

 Perhaps the only solution is to fix a specific IP address for
 security.debian.org in my local DNS server and then only use that!
>>>
>>> Or don't use OpenDNS servers.
>>
>> Or don't try to build firewall rules based on DNS lookups.
> 
> Or amend sources.list to not require DNS. 149.20.20.6 is schein; use
> villa if preferred.
> 
>   deb ftp://149.20.20.6/debian-security jessie/updates main

I don't second that suggestion because it has several drawbacks.
- It cancels the redundancy provided by security.debian.org.
- It does not work with HTTP, so you have to use FTP which is harder to
manage by firewalls.
- If one day this one address does not serve as a Debian security mirror
any more, you're stuck.
- Changing a mirror forces APT to reload all the package list at the
next update. This can be annoying with a low speed link.

I was serious when suggesting not tu use OpenDNS. Why use it if you have
your own local recursive DNS cache ?

Re: Whitelist security.debian.org

[Brian]

On Thu 22 Oct 2015 at 20:51:03 +0200, Pascal Hambourg wrote:

> Brian a écrit :
> > On Thu 22 Oct 2015 at 11:44:41 +0200, Sven Hartge wrote:
> > 
> >> Pascal Hambourg  wrote:
> >>> Greencopper a écrit :
> >>  
>  Most likely OpenDNS has some load balancing of their own perhaps
>  forwarding the request to different internal servers.
> 
>  Perhaps the only solution is to fix a specific IP address for
>  security.debian.org in my local DNS server and then only use that!
> >>>
> >>> Or don't use OpenDNS servers.
> >>
> >> Or don't try to build firewall rules based on DNS lookups.
> > 
> > Or amend sources.list to not require DNS. 149.20.20.6 is schein; use
> > villa if preferred.
> > 
> >   deb ftp://149.20.20.6/debian-security jessie/updates main
> 
> I don't second that suggestion because it has several drawbacks.
> - It cancels the redundancy provided by security.debian.org.

True. It pins down getting security updates fron a designated IP.

> - It does not work with HTTP, so you have to use FTP which is harder to
> manage by firewalls.

I could not get http to work; don't know why. Any ideas?

> - If one day this one address does not serve as a Debian security mirror
> any more, you're stuck.

Correct. So, use

   deb ftp://schein.debian.org/debian-security jessie/updates main
   deb ftp://villa.debian.org/debian-security jessie/updates main

Untested, so your objection could still stand.

> - Changing a mirror forces APT to reload all the package list at the
> next update. This can be annoying with a low speed link.

Probably not relevant for the OP. But a reasonable point.
 
> I was serious when suggesting not tu use OpenDNS. Why use it if you have
> your own local recursive DNS cache ?

You could be right, I'll not argue that at length. unbound returns

; <<>> DiG 9.9.5-12-Debian <<>> security.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23557
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 4096
  ;; QUESTION SECTION:
  ;security.debian.org.   IN  A

  ;; ANSWER SECTION:
  security.debian.org.300 IN  A   195.20.242.89
  security.debian.org.300 IN  A   212.211.132.250
  security.debian.org.300 IN  A   212.211.132.32

  ;; AUTHORITY SECTION:
  security.debian.org.28800   IN  NS  geo1.debian.org.
  security.debian.org.28800   IN  NS  geo3.debian.org.
  security.debian.org.28800   IN  NS  geo2.debian.org.

  ;; Query time: 430 msec
  ;; SERVER: 127.0.0.1#53(127.0.0.1)
  ;; WHEN: Thu Oct 22 20:26:22 BST 2015
  ;; MSG SIZE  rcvd: 153

Traceroutes to the machines in the ANSWER SECTION lead today to wieck.
villa and lobos respectively.

I'm also not inclined to second the suggestion but, failing sorting out
his firewall, it can work for the OP.

Re: Whitelist security.debian.org

[Pascal Hambourg]

Brian a écrit :
> On Thu 22 Oct 2015 at 20:51:03 +0200, Pascal Hambourg wrote:
> 
>> Brian a écrit :
>>>
>>>   deb ftp://149.20.20.6/debian-security jessie/updates main
> 
>> - It does not work with HTTP, so you have to use FTP which is harder to
>> manage by firewalls.
> 
> I could not get http to work; don't know why. Any ideas?

HTTP virtual host setup, I guess. /dists, /pool or /debian-security seem
to only exist in the security.debian.org virtual host on these servers.

Re: Whitelist security.debian.org

[Sven Hartge]

Pascal Hambourg  wrote:
> Greencopper a écrit :
 
>> Most likely OpenDNS has some load balancing of their own perhaps
>> forwarding the request to different internal servers.
>> 
>> Perhaps the only solution is to fix a specific IP address for
>> security.debian.org in my local DNS server and then only use that!

> Or don't use OpenDNS servers.

Or don't try to build firewall rules based on DNS lookups.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.

Re: Whitelist security.debian.org

[Brian]

On Thu 22 Oct 2015 at 11:44:41 +0200, Sven Hartge wrote:

> Pascal Hambourg  wrote:
> > Greencopper a écrit :
>  
> >> Most likely OpenDNS has some load balancing of their own perhaps
> >> forwarding the request to different internal servers.
> >> 
> >> Perhaps the only solution is to fix a specific IP address for
> >> security.debian.org in my local DNS server and then only use that!
> 
> > Or don't use OpenDNS servers.
> 
> Or don't try to build firewall rules based on DNS lookups.

Or amend sources.list to not require DNS. 149.20.20.6 is schein; use
villa if preferred.

  deb ftp://149.20.20.6/debian-security jessie/updates main

Whitelist security.debian.org

[Greencopper]

I have a firewall with some whitelisted addresses for the kids, one of them
is security.debian.org.

The firewall flushes the tables with fresh IP addresses using a scripted
cronjob with a nslookup that pulls the addresses and automatically adds
them to the whitelist.

Doing a nslookup on the firewall and on the kids boxes provides the same IP
addresses for security.debian.org:

# nslookup security.debian.org
Non-authoritative answer:
Name:   security.debian.org
Address: 212.211.132.32
Name:   security.debian.org
Address: 195.20.242.89
Name:   security.debian.org
Address: 212.211.132.250

And those IPs are added to the whitelist. However, when APT is run:

"Could not connect to security.debian.org:http: [IP: 149.20.20.6 80]"

Where does APT get this IP address from?

If from some crazy pool of IPs how is it doing lookup?

Re: Whitelist security.debian.org

[Glenn English]

On Oct 21, 2015, at 12:34 PM, David Wright  wrote:

>> # nslookup security.debian.org
>> Non-authoritative answer:
>> Name:   security.debian.org
>> Address: 212.211.132.32
>> Name:   security.debian.org
>> Address: 195.20.242.89
>> Name:   security.debian.org
>> Address: 212.211.132.250
> 
> My whois shows those addresses are in Germany.
> security.debian.org is in the US.

Mine says Germany too, and a peculiar domain owner (ScanPlus). But:

> root@srv:~# host 212.211.132.250
> 250.132.211.212.in-addr.arpa domain name pointer lobos.debian.org.
> root@srv:~# host 195.20.242.89
> 89.242.20.195.in-addr.arpa domain name pointer wieck.debian.org.
> root@srv:~# host 212.211.132.32
> 32.132.211.212.in-addr.arpa domain name pointer villa.debian.org.

Debian has several servers in Germany (like the users' mailing list server, 
last time I looked). This might be something worth looking into...

-- 
Glenn English

Re: Whitelist security.debian.org

[David Wright]

Quoting Greencopper (greencopperm...@gmail.com):
> I have a firewall with some whitelisted addresses for the kids, one of them is
> security.debian.org.
> 
> The firewall flushes the tables with fresh IP addresses using a scripted
> cronjob with a nslookup that pulls the addresses and automatically adds them 
> to
> the whitelist.
> 
> Doing a nslookup on the firewall and on the kids boxes provides the same IP
> addresses for security.debian.org:
> 
> # nslookup security.debian.org
> Non-authoritative answer:
> Name:   security.debian.org
> Address: 212.211.132.32
> Name:   security.debian.org
> Address: 195.20.242.89
> Name:   security.debian.org
> Address: 212.211.132.250

My whois shows those addresses are in Germany.
security.debian.org is in the US.

> And those IPs are added to the whitelist. However, when APT is run:
> 
> "Could not connect to security.debian.org:http: [IP: 149.20.20.6 80]"
> 
> Where does APT get this IP address from?
> 
> If from some crazy pool of IPs how is it doing lookup?

$ dig @8.8.8.8 security.debian.org

; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> @8.8.8.8 security.debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51777
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;security.debian.org.   IN  A

;; ANSWER SECTION:
security.debian.org.292 IN  A   149.20.20.6
security.debian.org.292 IN  A   128.31.0.63
security.debian.org.292 IN  A   128.61.240.73

;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Oct 21 13:26:32 CDT 2015
;; MSG SIZE  rcvd: 96

$ 

The only things German (and Austrian) there are the phone numbers!

Cheers,
David.

Re: Whitelist security.debian.org

[Lars Noodén]

On 10/21/2015 09:47 PM, Mario Castelán Castro wrote:
>...
> There seems to be a geographical dependent load balancing DNS server for
> security.debian.org; maybe that is the source of the OP's problem. From
> Mexico I get this:
> ...

I, too, get different answers depending on the country I check from with
dig.

It seems to be described here briefly:

"For each service it produces a set of zonefiles, one
for each out of a set of different geographic regions.
These individual zonefiles are then transferred using
rsync to our GEO-IP enabled nameservers. This enables
us to give users a list of security mirrors closer to
them and thus hopefully faster for them."

https://dsa.debian.org/dsablog/

But that doesn't answer why APT is getting a different IP than a regular
nslookup.

Regards,
Lars

Re: Whitelist security.debian.org

[Pascal Hambourg]

Greencopper a écrit :
> 
> Doing a nslookup on the firewall and on the kids boxes provides the same IP
> addresses for security.debian.org:
> 
> # nslookup security.debian.org
> Non-authoritative answer:
> Name:   security.debian.org
> Address: 212.211.132.32
> Name:   security.debian.org
> Address: 195.20.242.89
> Name:   security.debian.org
> Address: 212.211.132.250
> 
> And those IPs are added to the whitelist. However, when APT is run:
> 
> "Could not connect to security.debian.org:http: [IP: 149.20.20.6 80]"

Always the same address ? Or does it change ?

> Where does APT get this IP address from?

/etc/hosts ?
Any local DNS server ?

Re: Whitelist security.debian.org

[Mario Castelán Castro]

There seems to be some geographically

El 21/10/15 a las 13:34, David Wright escribió:

Quoting Greencopper (greencopperm...@gmail.com):

I have a firewall with some whitelisted addresses for the kids, one of them is
security.debian.org.

The firewall flushes the tables with fresh IP addresses using a scripted
cronjob with a nslookup that pulls the addresses and automatically adds them to
the whitelist.

Doing a nslookup on the firewall and on the kids boxes provides the same IP
addresses for security.debian.org:

# nslookup security.debian.org
Non-authoritative answer:
Name:   security.debian.org
Address: 212.211.132.32
Name:   security.debian.org
Address: 195.20.242.89
Name:   security.debian.org
Address: 212.211.132.250


My whois shows those addresses are in Germany.
security.debian.org is in the US.


There seems to be a geographical dependent load balancing DNS server for 
security.debian.org; maybe that is the source of the OP's problem. From 
Mexico I get this:


$ host security.debian.org
security.debian.org has address 128.61.240.73
security.debian.org has address 149.20.20.6
security.debian.org has address 128.31.0.63
security.debian.org has IPv6 address 2001:4f8:8:36::6
security.debian.org has IPv6 address 2610:148:1f10:3::73
security.debian.org mail is handled by 10 mailly.debian.org.
security.debian.org mail is handled by 10 muffat.debian.org.

But in a recent thread, another user mentioned a different set of IP 
addresses; see 
 and 
.


Regards.

Re: Whitelist security.debian.org

[Greencopper]

This is actually getting very frustrating!

Doing a nslookup specifying the DNS server provides different results when
done minutes apart!

$ nslookup security.debian.org 208.67.222.222
Server:208.67.222.222
Address:208.67.222.222#53

Non-authoritative answer:
Name:security.debian.org
Address: 149.20.20.6
Name:security.debian.org
Address: 128.31.0.63
Name:security.debian.org
Address: 128.61.240.73

Then a couple of minutes after:

nslookup security.debian.org 208.67.222.222
Server:208.67.222.222
Address:208.67.222.222#53

Non-authoritative answer:
Name:security.debian.org
Address: 212.211.132.32
Name:security.debian.org
Address: 212.211.132.250
Name:security.debian.org
Address: 195.20.242.89

Most likely OpenDNS has some load balancing of their own perhaps forwarding
the request to different internal servers.

Perhaps the only solution is to fix a specific IP address for
security.debian.org in my local DNS server and then only use that!

On Thu, Oct 22, 2015 at 3:08 AM, Greencopper 
wrote:

> >> Doing a nslookup on the firewall and on the kids boxes provides the same IP
> >> addresses for security.debian.org:
> >>
> >> # nslookup security.debian.org
> >> Non-authoritative answer:
> >> Name:   security.debian.org
> >> Address: 212.211.132.32
> >> Name:   security.debian.org
> >> Address: 195.20.242.89
> >> Name:   security.debian.org
> >> Address: 212.211.132.250
> >>
> >> And those IPs are added to the whitelist. However, when APT is run:
> >>
> >> "Could not connect to security.debian.org:http: [IP: 149.20.20.6 80]"
> >
> > Always the same address ? Or does it change ?
> >
> >> Where does APT get this IP address from?
> >
> > /etc/hosts ?
> > Any local DNS server ?
>
> There is a local DNS server on the firewall, but that's where the
> whitelisted IP address gets generated and the result of the nslookup
> is the same whether performed on the box or on any other machine in
> the house since they all use the same box.
>
> No, there is nothing in /etc/hosts
>
> Apt-get is getting different results from using "host" or "nslookup".
>
>

Re: Whitelist security.debian.org

[Greencopper]

>> Doing a nslookup on the firewall and on the kids boxes provides the same IP
>> addresses for security.debian.org:
>>
>> # nslookup security.debian.org
>> Non-authoritative answer:
>> Name:   security.debian.org
>> Address: 212.211.132.32
>> Name:   security.debian.org
>> Address: 195.20.242.89
>> Name:   security.debian.org
>> Address: 212.211.132.250
>>
>> And those IPs are added to the whitelist. However, when APT is run:
>>
>> "Could not connect to security.debian.org:http: [IP: 149.20.20.6 80]"
>
> Always the same address ? Or does it change ?
>
>> Where does APT get this IP address from?
>
> /etc/hosts ?
> Any local DNS server ?

There is a local DNS server on the firewall, but that's where the
whitelisted IP address gets generated and the result of the nslookup
is the same whether performed on the box or on any other machine in
the house since they all use the same box.

No, there is nothing in /etc/hosts

Apt-get is getting different results from using "host" or "nslookup".