Re: Bogon Filter - Please check for 77/8 78/8 79/8
On Tue, 12 Dec 2006, Chris L. Morrow wrote: On Mon, 11 Dec 2006, william(at)elan.net wrote: Completewhois email server is down right now and needs to be rebuilt. what no backup MX? now postmaster/abuse/root working emails at that domain? did you put the domain also on 'rfc ignorant'? Mail store is not working, not mail service for domain and backups do exist. But as far as 'rfc ignorant' while it would probably not qualify, I'd have no problem with the listing as until mail server is fixed [that would be about one more week] no emails would be sent from the domain. I did put catchall on another server for email, but its just impossible to read with 4000 emails per day and 99.9..% of them being spam (including unfortunetly bots doing webform submission). BTW - I wanted to see how many people actually reported it (as it was mentioned here as being multiple attempts to contact), while I can't be 100% sure just from grep -P it looks like two people reported it on Dec 6th (one of them Allan) and that's about it; those who did report it will receive separate answers once email can be properly sorted. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Bogon Filter - Please check for 77/8 78/8 79/8
On Mon, 11 Dec 2006, william(at)elan.net wrote: > Completewhois email server is down right now and needs to be rebuilt. what no backup MX? now postmaster/abuse/root working emails at that domain? did you put the domain also on 'rfc ignorant'?
Re: DNS - connection limit (without any extra hardware)
In article <[EMAIL PROTECTED]> you write: > >On Mon, 11 Dec 2006, Simon Waters wrote: > >> Yes. Most of the root server traffic is answering queries with >> "NXDOMAIN" for non-existant top level domains, if you slave root >> on your recursive servers, your recursive servers can answer those >> queries directly (from the 120KB root zone file), rather than >> relying on negative caching, and a round trip to the root >> servers, for every new non-existant domain. > >That would require configuring my caching server with authoritative >zones, and it seems prevailing wisdom (at least with BIND >configurations?) is to keep the peanut butter seperate from the >chocolate, no matter how great they taste together, to the best >of my knowledge. > >matto No. The wisdom is to not make your authoritative servers caches. This is not the same as not making your caches authoritative for certain zones. Just don't have the caches listed in the NS RRsets. Note: You will need to configure your master server(s) to notify the caches for the zone that slave as the automatic mechanisms won't discover them. Mark >[EMAIL PROTECTED]< > Moral indignation is a technique to endow the idiot with dignity. > - Marshall McLuhan
Re: Bogon Filter - Please check for 77/8 78/8 79/8
On Mon, 11 Dec 2006, Allan Houston wrote: Florian Lohoff wrote: Hi *, in august IANA handed 77/8 78/8 79/8 to RIPE which started handing out those ranges 2 months ago. We (Telefonica Deutschland AS6805) are seeing a lot of reachability problems most likely caused by not updated bogon filters. For testing purposes 77.181.114.4 aka bogon.mediaways.net is up for icmp/http. Please check and possibly update your filters. Flo (aka [EMAIL PROTECTED]) This probably isn't helped much by sites like completewhois.com still showing these ranges as bogons.. http://www.completewhois.com/bogons/active_bogons.htm They've ignored all my attempts to get them to update so far.. sigh.. Completewhois email server is down right now and needs to be rebuilt. That's not to say that is a good excuse - I should have updated bogon list 3 months ago when allocation was made, but I missed it among many emails on this list and other lists; its fixed as of right now, so my apologies to those who received new allocations from 77/8 (apparently RIPE started allocating two weeks ago; a bit sooner after IANA allocation then before, but I guess they are out of available space on other blocks...). I also added daily emailing of active_bogons list to this and one other of my actively used email accounts which would make it easier to catch similar problems. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: DNS - connection limit (without any extra hardware)
On Mon, 11 Dec 2006, Simon Waters wrote: Yes. Most of the root server traffic is answering queries with "NXDOMAIN" for non-existant top level domains, if you slave root on your recursive servers, your recursive servers can answer those queries directly (from the 120KB root zone file), rather than relying on negative caching, and a round trip to the root servers, for every new non-existant domain. That would require configuring my caching server with authoritative zones, and it seems prevailing wisdom (at least with BIND configurations?) is to keep the peanut butter seperate from the chocolate, no matter how great they taste together, to the best of my knowledge. matto [EMAIL PROTECTED]< Moral indignation is a technique to endow the idiot with dignity. - Marshall McLuhan
Re: Bogon Filter - Please check for 77/8 78/8 79/8
On Mon, 11 Dec 2006, Robert E. Seastrom wrote: no, he's saying that a lawsuit is a useful method of forcing someone who is intentionally or negligently distributing incorrect information that other people who do not know any better then believe and use in their own networks. i betcha libel laws aren't written in such a way that they are useful here, however, there might be some kind of restraint of trade thing that could be invoked or somesuch. ianal, not my dept. If you google for it, you'll find lots of obsolete bogon info, typically lacking the suggestion to check IANA's web site or other resources to check the freshness of the data or any warning that the data will change over time as more space gets allocated. From the first page of google: bogon ACL cisco http://www.tech-recipes.com/modules.php?name=Forums&file=viewtopic&p=6817 Do you threaten to sue them all? The real problems are all the networks that setup static bogon filters some time ago which nobody maintains or in some cases, even knows about. Changing a few web sites won't fix any of those routers. It's a lousy position to be in, but my suggestion is try to make contact with the bigger / more important networks blocking your new space and let the rest of them figure it out on their own. I'm surprised William's site hasn't been updated. He used to be fairly active online. Has anyone heard from him at all recently? -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: DNS - connection limit (without any extra hardware)
On Monday 11 December 2006 16:15, you wrote: > > I use to slave "." which can save time on recursive DNS servers when they have > >a lot of dross to answer (assuming it is totally random dross). > > I'm not sure to understand your solution. > You configure your name-server as a slave-root-server? Yes. Most of the root server traffic is answering queries with "NXDOMAIN" for non-existant top level domains, if you slave root on your recursive servers, your recursive servers can answer those queries directly (from the 120KB root zone file), rather than relying on negative caching, and a round trip to the root servers, for every new non-existant domain. The drawback is you provide the answer with the authority bit set, which isn't what the world's DNS clients should expect, but DNS clients don't care about that one bit (sorry). If the root zone file changed quickly it might also cause other problems! Paul V was very cautious about it as a method of running a DNS server, but if the recursive servers are being barraged with queries for (different) non-existent top level domains I think it is probably preferable to the servers being flattened (and/or passing that load onto the root name servers). If the queries are for existing, or the same, domains each time, it won't provide significant improvement. I suppose any server issuing more than 2000 or so queries a day to the root servers would potentially save bandwidth, and provide a more responsive experience for the end user. But one also has to handle the case of the root zone potentially expiring, not something I ever allowed to happen, but then I'm not the average DNS administrator. I've used this technique extensively myself in the past with no issues, but I'm not using it operationally at the moment. Since the load average on our DNS server is 0.00 to two decimal places I doubt it would make a lot of difference, and we host websites, and email, not randomly misconfigured, home, or business user PCs. So mostly we do lookups in in-addr.arpa, a depressingly large proportion of which fail, or look-ups for a small set of servers we forward email to (most of which exist, or I delete the forward).
Re: Bogon Filter - Please check for 77/8 78/8 79/8
* Jared Mauch: > My recommendation is to write a letter (in german) and fax it > over to their fax# with the urls clearly written out (eg: iana vs > their url) showing the problem with the address space. it'll likely > sufficently confuse someone that they'll be curious and research it > and solve the problem. Isn't completewhois.com William's project? I doubt he cares about German letters if he doesn't even notice the peer pressure on NANOG.
Re: Bogon Filter - Please check for 77/8 78/8 79/8
Stephen Satchell wrote: > > Jared Mauch wrote: >> linking to stuff like the bogon-announce list too wouldn't >> be a bad idea either :) > > > Bogon announce list? Read here: http://www.cymru.com/ And you will find: http://puck.nether.net/mailman/listinfo/bogon-announce Btw it is the first hit on google(bogon announce list) Greets, Jeroen signature.asc Description: OpenPGP digital signature
Re: Bogon Filter - Please check for 77/8 78/8 79/8
Jared Mauch wrote: linking to stuff like the bogon-announce list too wouldn't be a bad idea either :) Bogon announce list?
Re: DNS - connection limit (without any extra hardware)
I use to slave "." which can save time on recursive DNS servers when they have a lot of dross to answer (assuming it is totally random dross). I'm not sure to understand your solution. You configure your name-server as a slave-root-server? On 12/8/06, Simon Waters <[EMAIL PROTECTED]> wrote: On Friday 08 December 2006 14:40, you wrote: > > For this reason, I would like that a DNS could response maximum to 10 > queries per second given by every single Ip address. That may trap an email server or two. Did you consider checking what they are looking up, and lying to them about the TTL/answer "127.0.0.1 for a week" maybe better than NXDOMAIN. I use to slave "." which can save time on recursive DNS servers when they have a lot of dross to answer (assuming it is totally random dross). I suspect complex rate limiting may be nearly as expensive as providing DNS answers with Bind9.
Another bogon block: 2001:678::/29 (Was: Bogon Filter - Please check for 77/8 78/8 79/8)
[After the very short IANAL part, an operational part wrt 2001:678::/29] Robert E. Seastrom wrote: > > no, he's saying that a lawsuit is a useful method of forcing someone > who is intentionally or negligently distributing incorrect information > that other people who do not know any better then believe and use in > their own networks. If that is the basis that people sue on, then I really wonder all of a sudden when somebody will sue their government, news agencies and all those nice magazines where those paparazzi stalkers are working for. But to keep this nice and operational: Just as a side example: 2001:678:1::/48 is a "DNS Anycast Block". ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest doesn't list this yet, even though it was allocated 2 months ago. There was though a 2001:678::/35 block previously (which is still in the above file but not in whois anymore). GRH thus listed this falsely. Should I thus be liable for publishing information that is wrong, as GRH was listing the /48 "Subnet of a big allocation", which it in effect was, as it was, according to the tool, part of the /35. grh.sixxs.net> show bgp 2001:678:1::/48 BGP routing table entry for 2001:678:1::/48 Paths: (32 available, best #30, table Default-IP-Routing-Table) And that is out of about 100 peers that GRH has. As such can I ask the community, people who are maintaining routers, to check their filters and start accepting these prefixes? Thank you. As many people rely on the 'delegated--latest' files for producing their filters, I have contacted RIPE NCC to resolve that issue, most likely that will then automatically punch the appropriate holes into the automated tools which rely on it. GRH though has been updated manually already. When RIPE NCC has fixed it up, I'll follow up to ISP's that have not fixed up their filters yet, so that that number comes quite a bit closer to 100. Thanks to Simon Leinen for reporting it btw as I hadn't noticed it: am I thus liable for 'spreading false info' ? Greets, Jeroen (glad to not be in the US :) signature.asc Description: OpenPGP digital signature
Re: DNS - connection limit (without any extra hardware)
of course, my company is working on two main tasks: the first team is focused on discovering what is the virus, and what is the best anti-virus. instead, my team has already scaled our DNS service, by doubling the number of DNSs. I'm not completely satisfied by the "scaling solution": I wish to find a solution that could grant a good quality of the service without placing a lot of DNS in my web-farms Thanks Best Regards Luke On 12/8/06, Matt Ghali <[EMAIL PROTECTED]> wrote: On Fri, 8 Dec 2006, Simon Waters wrote: > I suspect complex rate limiting may be nearly as expensive as providing DNS > answers with Bind9. Indeed. It is generally accepted that it is easier to simply scale your service to provide adequate headroom than implement per-client traffic policies. of course, you could also work on cleaning up the mess, but I will charitably assume you are working the problem from both directions simultaneously. matto [EMAIL PROTECTED]< Moral indignation is a technique to endow the idiot with dignity. - Marshall McLuhan
Re: Bogon Filter - Please check for 77/8 78/8 79/8
On Mon, Dec 11, 2006 at 10:28:27AM -0500, Robert E. Seastrom wrote: > > > no, he's saying that a lawsuit is a useful method of forcing someone > who is intentionally or negligently distributing incorrect information > that other people who do not know any better then believe and use in > their own networks. > > i betcha libel laws aren't written in such a way that they are useful > here, however, there might be some kind of restraint of trade thing > that could be invoked or somesuch. ianal, not my dept. My recommendation is to write a letter (in german) and fax it over to their fax# with the urls clearly written out (eg: iana vs their url) showing the problem with the address space. it'll likely sufficently confuse someone that they'll be curious and research it and solve the problem. linking to stuff like the bogon-announce list too wouldn't be a bad idea either :) - jared > > ---rob > > "Scott Morris" <[EMAIL PROTECTED]> writes: > > > So we're saying that a lawsuit is an intelligent method to force someone > > else to correct something that you are simply using to avoid the irritation > > of manually updating things yourself??? > > > > That seems to be the epitomy of laziness vs. litigousness. > > > > Scott > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Monday, December 11, 2006 9:55 AM > > To: Jack Bates > > Cc: nanog@merit.edu > > Subject: Re: Bogon Filter - Please check for 77/8 78/8 79/8 > > > > > > On Mon, 11 Dec 2006, Jack Bates wrote: > > > >> > >> Allan Houston wrote: > >> > This probably isn't helped much by sites like completewhois.com > >> > still showing these ranges as bogons.. > >> > > >> > http://www.completewhois.com/bogons/active_bogons.htm > >> > > >> > They've ignored all my attempts to get them to update so far.. sigh.. > >> > > >> > >> They just need someone using the address space to slap them with a > > lawsuit. -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Bogon Filter - Please check for 77/8 78/8 79/8
Scott Morris wrote: So we're saying that a lawsuit is an intelligent method to force someone else to correct something that you are simply using to avoid the irritation of manually updating things yourself??? That seems to be the epitomy of laziness vs. litigousness. Scott I would doubt the person using a bogon list would be the initiator of a lawsuit. It would be more plausible that the person using the netspace listed incorrectly as a bogon would have just cause for filing a lawsuit. It's annoying enough to chase after all the people who manually configure bogon networks and forget them in their firewalls. From previous posts, it appears that this is a case of continued propagation of incorrect information after being notified of the inaccuracy, and the information is published as being fact; implying accuracy. Jack Bates
RE: Bogon Filter - Please check for 77/8 78/8 79/8
So we're saying that a lawsuit is an intelligent method to force someone else to correct something that you are simply using to avoid the irritation of manually updating things yourself??? That seems to be the epitomy of laziness vs. litigousness. I think the point is that people are trusting this "self appointed" authority and thus others are blocking _his_ legitimate traffic. If you're going to appoint yourself an "authority" then you have a responsibility to be accurate. If you're too lazy to keep your lists up to date then you need to stop offering said lists. As an admin I can't stop other people from using such an idiotic list. However I can sue the list for libel- after all they are printing the incorrect fact that the traffic I am sending is bogus and thus are harming my reputation and impacting my business. Seems to me like this is _exactly_ what the courts are for. There is no gray area- it's not a question of whether or not this is spam for example. This list is publishing the false statement that the traffic this ISP is trying to send is bogus. If they won't correct their mistake then you absolutely should be able to petition the courts to get them to stop publishing false information about you. -Don
Re: Bogon Filter - Please check for 77/8 78/8 79/8
Scott Morris wrote: So we're saying that a lawsuit is an intelligent method to force someone else to correct something that you are simply using to avoid the irritation of manually updating things yourself??? That seems to be the epitomy of laziness vs. litigousness. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, December 11, 2006 9:55 AM To: Jack Bates Cc: nanog@merit.edu Subject: Re: Bogon Filter - Please check for 77/8 78/8 79/8 On Mon, 11 Dec 2006, Jack Bates wrote: Allan Houston wrote: This probably isn't helped much by sites like completewhois.com still showing these ranges as bogons.. http://www.completewhois.com/bogons/active_bogons.htm They've ignored all my attempts to get them to update so far.. sigh.. They just need someone using the address space to slap them with a lawsuit. I've spent a fairly substantial amount of time over the last few weeks attempting to get ISPs / hosting centers / little Johnny's server in his mom's basement to debogonise my 77.96.0.0/13 prefix. I can tell you that I've heard no less than four times from networking bods that we're still listed as a bogon on completewhois.com, that they don't think they need to update their filters etc etc. So while I agree entirely that you shouldn't use these sites for accurate filters, we have to recognise that in an imperfect world there are some people who do choose to use them, no matter how silly we feel it is.. Guess the point I'm making is that chasing down bad bogons is a frustrating enough task without an alledgedly accurate listing site posting out of date info. PS - if anyone has a networking contact at ev1servers.net , please send me a mail because I'm getting hair loss I can ill afford trying to get them to remove their bogon filters.
Re: Bogon Filter - Please check for 77/8 78/8 79/8
no, he's saying that a lawsuit is a useful method of forcing someone who is intentionally or negligently distributing incorrect information that other people who do not know any better then believe and use in their own networks. i betcha libel laws aren't written in such a way that they are useful here, however, there might be some kind of restraint of trade thing that could be invoked or somesuch. ianal, not my dept. ---rob "Scott Morris" <[EMAIL PROTECTED]> writes: > So we're saying that a lawsuit is an intelligent method to force someone > else to correct something that you are simply using to avoid the irritation > of manually updating things yourself??? > > That seems to be the epitomy of laziness vs. litigousness. > > Scott > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, December 11, 2006 9:55 AM > To: Jack Bates > Cc: nanog@merit.edu > Subject: Re: Bogon Filter - Please check for 77/8 78/8 79/8 > > > On Mon, 11 Dec 2006, Jack Bates wrote: > >> >> Allan Houston wrote: >> > This probably isn't helped much by sites like completewhois.com >> > still showing these ranges as bogons.. >> > >> > http://www.completewhois.com/bogons/active_bogons.htm >> > >> > They've ignored all my attempts to get them to update so far.. sigh.. >> > >> >> They just need someone using the address space to slap them with a > lawsuit.
RE: Bogon Filter - Please check for 77/8 78/8 79/8
So we're saying that a lawsuit is an intelligent method to force someone else to correct something that you are simply using to avoid the irritation of manually updating things yourself??? That seems to be the epitomy of laziness vs. litigousness. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, December 11, 2006 9:55 AM To: Jack Bates Cc: nanog@merit.edu Subject: Re: Bogon Filter - Please check for 77/8 78/8 79/8 On Mon, 11 Dec 2006, Jack Bates wrote: > > Allan Houston wrote: > > This probably isn't helped much by sites like completewhois.com > > still showing these ranges as bogons.. > > > > http://www.completewhois.com/bogons/active_bogons.htm > > > > They've ignored all my attempts to get them to update so far.. sigh.. > > > > They just need someone using the address space to slap them with a lawsuit.
Re: Bogon Filter - Please check for 77/8 78/8 79/8
On Mon, Dec 11, 2006 at 08:40:41AM -0600, Jack Bates wrote: > > Allan Houston wrote: > >This probably isn't helped much by sites like completewhois.com still > >showing these ranges as bogons.. > > > >http://www.completewhois.com/bogons/active_bogons.htm > > > >They've ignored all my attempts to get them to update so far.. sigh.. > > > > They just need someone using the address space to slap them with a lawsuit. > > Jack Bates lawsuit? where does it say that someone MUST accept routes or listen to a self-appointed authority? --bill
Re: Bogon Filter - Please check for 77/8 78/8 79/8
On Mon, 11 Dec 2006, Jack Bates wrote: > > Allan Houston wrote: > > This probably isn't helped much by sites like completewhois.com still > > showing these ranges as bogons.. > > > > http://www.completewhois.com/bogons/active_bogons.htm > > > > They've ignored all my attempts to get them to update so far.. sigh.. > > > > They just need someone using the address space to slap them with a lawsuit. why would you let a third party not related to your business directly affect packet forwarding capabilities on your network? (in other words, why would you use them?)
Re: Bogon Filter - Please check for 77/8 78/8 79/8
Allan Houston wrote: This probably isn't helped much by sites like completewhois.com still showing these ranges as bogons.. http://www.completewhois.com/bogons/active_bogons.htm They've ignored all my attempts to get them to update so far.. sigh.. They just need someone using the address space to slap them with a lawsuit. Jack Bates
Re: Bogon Filter - Please check for 77/8 78/8 79/8
Florian Lohoff wrote: Hi *, in august IANA handed 77/8 78/8 79/8 to RIPE which started handing out those ranges 2 months ago. We (Telefonica Deutschland AS6805) are seeing a lot of reachability problems most likely caused by not updated bogon filters. For testing purposes 77.181.114.4 aka bogon.mediaways.net is up for icmp/http. Please check and possibly update your filters. Flo (aka [EMAIL PROTECTED]) This probably isn't helped much by sites like completewhois.com still showing these ranges as bogons.. http://www.completewhois.com/bogons/active_bogons.htm They've ignored all my attempts to get them to update so far.. sigh.. Allan Houston - IP Network Operations Tel : +44 1483 582615 ntl: Telewest
Bogon Filter - Please check for 77/8 78/8 79/8
Hi *, in august IANA handed 77/8 78/8 79/8 to RIPE which started handing out those ranges 2 months ago. We (Telefonica Deutschland AS6805) are seeing a lot of reachability problems most likely caused by not updated bogon filters. For testing purposes 77.181.114.4 aka bogon.mediaways.net is up for icmp/http. Please check and possibly update your filters. Flo (aka [EMAIL PROTECTED]) -- Florian Lohoff [EMAIL PROTECTED] +49-171-2280134 Heisenberg may have been here.