Re: Google DNS Oddity
On 2019-09-06, Stephen Stuart sent: > Do you see the same behavior when you execute your dig query without > the trailing dot? Yes. dig adds on the trailing dot to make it an FQDN anyway, so the on-wire qname is the same either way. -- Chip Marshall
Re: Google DNS Oddity
On 2019-09-06, Jared Mauch sent: > You may want to post on dns-operations instead. Will do. > Can you do a dig +trace www.google.com instead, that would be more > instructive about what’s happening at each layer of the delegation. # dig +trace www.google.com. ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.google.com. ;; global options: +cmd . 40841 IN NS b.root-servers.net. . 40841 IN NS g.root-servers.net. . 40841 IN NS k.root-servers.net. . 40841 IN NS i.root-servers.net. . 40841 IN NS m.root-servers.net. . 40841 IN NS c.root-servers.net. . 40841 IN NS l.root-servers.net. . 40841 IN NS e.root-servers.net. . 40841 IN NS d.root-servers.net. . 40841 IN NS f.root-servers.net. . 40841 IN NS h.root-servers.net. . 40841 IN NS j.root-servers.net. . 40841 IN NS a.root-servers.net. . 40841 IN RRSIG NS 8 0 518400 2019091705 2019090404 59944 . W93v8sQLROIXL1qvcezKKnL8XwzzxuFb6VbyV7h+SG27BIgJiOGrNE5q M6ncTYozvKd3tKJ/cQZcnIO9zi9tInPKgVctNF1Fp2FGb8TnFuTkIOMy MEVzbWEZrZErcToDRaK1WzlrxBL6gsIfegE8gjC/2XVnKQENZCJ4qgg8 V/u1CKbJGV0nmnVusCZ6pXnkVJDDdvvicaUf0IoxqEONh1h/xKghX14R 6leOUCJpAtdS0M9eyPeBL5myCm7olOVhi/A+9QjZLv60vefYAF7aREtW 5mEvg/YyNz4dUOHrhz/iRbK/wGIbtyuTpvy3Gg/F2dtrVfJBzobDnGpv sFO4xA== ;; Received 525 bytes from 8.8.8.8#53(8.8.8.8) in 1 ms com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com.86400 IN RRSIG DS 8 1 86400 2019091917 2019090616 59944 . ep9gNcyySwR/AqNOnfjXq3OCw5IwOJnIxU4U25UdZ2ejwbJqLf8ytp68 O5DQz1N/PvrEhi1Wg8XyQHZM+fc38cYhhjG5HMVOcEN3wvifnxTWEwBs ay2GxF10TtUpg9TF4Qs2+V8k0ABWwAKIBbSAeZ+C+l5mBg18CCnTgjeg PR+466SgA7sHbzaI9PYK57suhq3uLrphcC2Ti7jmV9V41H5D52gNTiV5 eQ2BsPo+l5LyLrvusailMOzogav9v4M9bnOSGTcc85nf/wD5/Vo4R4MU OexIxio0NGBl7GeS3zoPKV29CYnfcuZBkD2VBuPKZafxp0nIo4olMznn szi9lg== ;; Received 1174 bytes from 199.7.83.42#53(l.root-servers.net) in 60 ms google.com. 172800 IN NS ns2.google.com. google.com. 172800 IN NS ns1.google.com. google.com. 172800 IN NS ns3.google.com. google.com. 172800 IN NS ns4.google.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190912044627 20190905033627 17708 com. kXWtAEptQhH9JpsAJzpvEwEwRtybI/FVl9Hrd1lr/GTkZ3P4clnR7YLB quX4CVf8E0+gEfwf4U2PpmphROV1eHweyycVydvTE8etaDipTpItbtyG 7Iz/uKjp1TY3RD+qNa6LZ1juEs70aKPsbmEV79rtiTW2kurdgqslP5jH Jg0= S84BDVKNH5AGDSI7F5J0O3NPRHU0G7JQ.com. 86400 IN NSEC3 1 1 0 - S84CFH3A62N0FJPC5D9IJ2VJR71OGLV5 NS DS RRSIG S84BDVKNH5AGDSI7F5J0O3NPRHU0G7JQ.com. 86400 IN RRSIG NSEC3 8 2 86400 20190913045601 20190906034601 17708 com. bJE7LV1REfTtY1jFj/9qA1CKIDBgCJOTV42tSwf92aqhTAkflM9QFH7/ 3Z5440IkZ8PoWMt9Yn7fn+Q+cTZVnbj071jVpiLNXshhMQbtDC1eJkLz AIuATIj+dqWTWQg7vut0oiy0wnJ2ktSgqTFe4JtwRD0lWO6+NgnhbgQD 2yg= ;; Received 776 bytes from 192.43.172.30#53(i.gtld-servers.net) in 74 ms www-anycast.google.com. 300 IN 2001:4860:4802:32::75 www-anycast.google.com. 300 IN 2001:4860:4802:34::75 www-anycast.google.com. 300 IN 2001:4860:4802:38::75 www-anycast.google.com. 300 IN 2001:4860:4802:36::75 ;; Received 167 bytes from 216.239.38.10#53(ns4.google.com) in 6 ms -- Chip Marshall
Google DNS Oddity
Hello, I'm seeing an oddity when doing DNS lookups for www.google.com from our London datacenter, and I'm curious if other people are seeing the same behavior. It appears that when we ask for www.google.com. we sometimes get an answer that only contains records for www-anycast.google.com., which our resolver ignores as they don't match the query. As seen with dig: ``` # dig @ns1.google.com. www.google.com. ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns1.google.com. www.google.com. ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42641 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.google.com.IN ;; ANSWER SECTION: www-anycast.google.com. 300 IN 2001:4860:4802:34::75 www-anycast.google.com. 300 IN 2001:4860:4802:38::75 www-anycast.google.com. 300 IN 2001:4860:4802:36::75 www-anycast.google.com. 300 IN 2001:4860:4802:32::75 ;; Query time: 7 msec ;; SERVER: 216.239.32.10#53(216.239.32.10) ;; WHEN: Fri Sep 06 19:05:32 UTC 2019 ;; MSG SIZE rcvd: 167 ``` So far I've observed this with A and queries. It's my understanding that without a CNAME record in the answer, the resolver is doing the right thing by ignoring the answer, as there's no linkage between www and www-anycast. Is this broken, or is this just some weird DNS trick I've not come across before? -- Chip Marshall
Re: BGP Communities
I think it's generally pretty free form, however I just wanted to note that RTBH has a well known community of 65535:666 now, from RFC 7999. On Thu, Jul 5, 2018 at 2:46 PM, Matthew Crocker wrote: > > Hello, > > I’m just getting started setting up communities for my network. Is there > any standard convention for community numbering (*:666 for RTBH for > example)? I’ve looked at some examples from other carriers and it looks > like everyone does their own thing. > > -Matt > > -- > Matthew Crocker > Crocker Communications, Inc. > President > -- Chip Marshall http://2bithacker.net/
Re: Yet another Quadruple DNS?
On 2018-03-29, Stephane Bortzmeyer sent: > On Thu, Mar 29, 2018 at 07:33:08AM -0400, > Matt Hoppes wrote > a message of 7 lines which said: > > > We already have 8.8.8.8 and 8.8.4.4. > > And 9.9.9.9 and several others public DNS resolvers. I think the real question is "when are we going to get some memorable IPv6 public recursive DNS servers?" 2001:4860:4860:: or 2620:fe::fe just aren't quite as catchy as 8.8.8.8 or 9.9.9.9. -- Chip Marshall http://2bithacker.net/
Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks
On 2018-02-27, Ca By sent: > Please do take a look at the cloudflare blog specifically as they name and > shame OVH and Digital Ocean for being the primary sources of mega crap > traffic > > https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ > > Also, policer all UDP all the time... UDP is unsafe at any speed. Hi, DigitalOcean here. We've taken steps to mitigate this attack on our network. Also, we've only seen udp/11211 being a problem. I'd be interested to hear of anyone seeing tcp/11211 attacks. -- Chip Marshall http://2bithacker.net/
Re: mrtg alternative
May want to check out AKiPS. It's non-free, but we've been using it for a while now, and it works pretty well. The UI is a little rough, but the poller is fast, and the graphs render quickly. https://www.akips.com/ On 2016-03-24, Anurag Bhatia sent: > +1 for Cacti. > > I tried zenoss & observium but still Cacti is more cool in > terms of tweaking templates as well as the tree mode for easy > quick representation. > > Thanks for starting this cool thread. Will help in > getting links to some of other cool projects which we > don't hear around. > > On Wed, Mar 23, 2016 at 10:36 PM, Alan Buxey > wrote: > > > +1 for Statseeker. Ease of use etc (price depends on eg site size etc). > > Can do lots on just one mid server unlike some other bloaty solutions out > > there. But we also still use MRTG for some local bespoke measurements > > > > PS you can get a free Eval of statseeker. Obnote, don't work for them just > > a fairly happy customer > > > > alan > > > > > > -- > > > Anurag Bhatia > anuragbhatia.com -- Chip Marshall http://2bithacker.net/ signature.asc Description: PGP signature
Re: sfp "computer"?
I don't know if they're pushing it for the QFX5100, but I think on the QFX10k line they're pushing the ability to run another guest VM alongside the 2 JUNOS VMs on the switch's x86 CPU. See page 4 on the spec sheet: http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000531-en.pdf No idea what's involved with packaging the VM and getting it there, but should open up some interesting possibilties. - Chip On 2015-10-19, Anhost sent: > Qfx5100 and I think ex4600. > > Sent from my iPhone > > > On Oct 19, 2015, at 1:13 PM, Colton Conor wrote: > > > > Which new switches are you talking about Jerry? > > > >> On Fri, Oct 16, 2015 at 6:50 AM, Jerry Jones wrote: > >> A different approach would be use one of the newer switches from Juniper > >> and run right on the RE if you have those in your network > >> > >> > >> On Oct 15, 2015, at 9:24 PM, Baldur Norddahl > >> wrote: > >> > >> Hi > >> > >> Does anyone make a SFP with a system on chip "computer" that you can run a > >> small embedded linux on? > >> > >> I am sure it can be done because I have a "GPON stick" which is basically a > >> ONU with a small embedded Linux all on a SFP module. Does get fairly hot > >> however. > >> > >> My application is to run some small things that I feel is missing in my > >> switches/routers. Plug in this imaginary "SFP computer" to enhance the > >> switch with a small Linux. The SFP slot provides both networking and power > >> to the device. > >> > >> Regards, > >> > >> Baldur > > -- Chip Marshall http://2bithacker.net/ signature.asc Description: PGP signature
Re: inexpensive KVMoIP
On 2014-10-23, Jared Mauch sent: > Having recently encountered a problem with a machine, I’m > looking for an inexpensive KVMoIP device to place within a > facility to take VGA/USB Keyboard for a single host scale. > Ideally something that can be properly placed on the internet, > but that’s not a showstopper. > > If you’re willing to loan me one for a week or two as well, > let me know too so I can ship it to the site and recover my > machine. I've used Lantronix Spiders in the past, they're not bad. I'm curious if anyone knows of one that doesn't use Java for the client though. With things like NoVNC and Guacamole out there now, it seems like a HTML5 based remote KVM should be possible and not a nightmare to work with. -- Chip Marshall http://2bithacker.net/ pgp86f06gDycO.pgp Description: PGP signature
Re: 3356 leaking routes out 3549 lately?
On 2014-03-28, David Hubbard sent: > Has anyone had issues with Level 3 leaking advertisements out their > Global Crossing AS3356 for customers of 3549, but not accepting the > traffic back? We've been encountering this more and more recently, > bgpmon always detects it, and all we ever get from them is there's > nothing wrong. Today it affected CloudFlare's ability to talk to us. > It seems to happen mostly with Europe and Asian peering points. > Typically lasts five to ten minutes which makes me think someone working > on merging the two networks is doing some 'no one will notice this' > changes in the middle of the night. I'm not sure if it's the same thing, but I've had a few alerts from Renesys lately seeing a path to my AS via GLBX 3549 that shouldn't exist, as we only have connections with Level 3 3356. For example, Renesys reports "x 3549 33517" where it should only be able to see "x 3356 33517" or maybe "x 3549 3356 33517". (Due to Renesys policy, I can't know what x is) -- Chip Marshall http://2bithacker.net/ pgpUcrBhQwmHj.pgp Description: PGP signature
Re: misunderstanding scale
On 2014-03-26, Owen DeLong sent: > Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat. > > Admittedly, /48s are only 65,536 RBL entries per, but I still > think that address-based reputations are a losing battle in an > IPv6 world unless we provide some way for providers to hint at > block sizes. > > After all, if you start blocking a /64, what if it’s a /64 > shared by thousands of hosting customers at one provider > offering virtuals? It was brought to my attention in a parallel thread on Mailop that such a mechanism does exist for allowing ISP to hint about the size of customer allocations, at least in the RIPE database: http://www.ripe.net/ripe/docs/ripe-513 So how do we make this universal and get ISPs to use it? If we know customer sizes, it becomes much easier to do reputation on a per-customer basis, which is probably granular enough for a lot of cases. -- Chip Marshall http://2bithacker.net/ pgpDfvwQUlHki.pgp Description: PGP signature
Re: why IPv6 isn't ready for prime time, SMTP edition
On 2014-03-25, Mikael Abrahamsson sent: > I have repeatedly tried to get people interested in methods of > making it possible for ISPs to publish their "per-customer" > allocation size, so far without any success. Most of the time I > seem to get "we did it a certain way for IPv4, it works, we > don't want to change it" from people. So it's yet another chicken-and-egg problem to add to the pile for IPv6. Mail ops don't care because IPv6 isn't here, net ops delay IPv6 because mail isn't ready for it? This seems like to sort of problem that Mailops or MAAWG should be hammering out. There's a great opportunity to get some good BCP documents out there on "Here's how to do email in IPv6" before deployment goes past the point of no return. Spamhaus has had a fair amount of success with getting ISPs to participate in things like the PBL. Why not establish something similar for allocation sizes in IPv6? -- Chip Marshall http://2bithacker.net/ pgplU52TRFvXb.pgp Description: PGP signature
Re: Prism continued
On 2013-06-12, Phil Fagan sent: > Speaking of Splunk; is that really the tool of choice? I've been hearing a lot of good things about logstash these days too, if you prefer the open source route. http://logstash.net/ -- Chip Marshall http://2bithacker.net/ pgpSopEO5YDs6.pgp Description: PGP signature
Re: need help about free bandwidth graph program
On 2013-04-08, Andrew Latham sent: > Maybe http://en.wikipedia.org/wiki/Cacti_(software) would do what you want. > > www: http://www.cacti.net/index.php If we're talking SNMP counters, Observium might be worth a look. http://www.observium.org/ -- Chip Marshall http://2bithacker.net/ pgp19wf8e7vuR.pgp Description: PGP signature
Network Configuration Management
Just curious what people are using for network configuration manangement systems. I'm guessing most places have something built in-house, but before starting down that road I figured it would be a good idea to see if people have any off-the-shelf systems they like. Some features I'd like to have: * Interface configs * Firewall filter configs * BGP session configs * User management * Support for multiple router and switch vendors (at least Juniper and Cisco) -- Chip Marshall http://2bithacker.net/ pgp4mvtHzIASB.pgp Description: PGP signature
Re: IPv6 Netowrk Device Numbering BP
On 01-Nov-2012, Owen DeLong sent: > The only exceptions to this parsing would be if someone handed > you a textual representation of an IPv4 mapped address > (:::192.0.2.50), which essentially represents the partial > decimal format Masataka is requesting. I might be missing something here, but isn't that format already valid for any IPv6 address, not just the special v4-in-v6 representation? >>> import socket >>> p = '2001:abcd::192.16.10.10' >>> n = socket.inet_pton(socket.AF_INET6, p) >>> socket.inet_ntop(socket.AF_INET6, n) '2001:abcd::c010:a0a' Or is the issue just the ntop part not giving you back the decimalized string? -- Chip Marshall http://weblog.2bithacker.net/ KB1QYWPGP key ID 43C4819E v4sw5PUhw4/5ln5pr5FOPck4ma4u6FLOw5Xm5l5Ui2e4t4/5ARWb7HKOen6a2Xs5IMr2g6CM pgpXgIGWgwfyD.pgp Description: PGP signature
Re: Some truth about Comcast - WikiLeaks style
On 16-Dec-2010, Paul Stewart sent: > Pardon my ignorance here but what does Comcast do for the NANOG > community? I know they attend many conferences and share their > experiences with a lot of us which is very much appreciated... > > Just asking ;) http://nanog.org/meetings/nanog46/ -- Chip Marshall http://weblog.2bithacker.net/ KB1QYWPGP key ID 43C4819E v4sw5PUhw4/5ln5pr5FOPck4ma4u6FLOw5Xm5l5Ui2e4t4/5ARWb7HKOen6a2Xs5IMr2g6CM
Re: Hauling gear around a NANOG meeting
On May 22, 2008, Rod Beck sent me the following: > I hate to break the news to the New York bashers, but New York is one > of the safest American cities. This is not a controversial statement. > > New York has a lower incidence of crime than Miami, Detroit, Seattle, > Los Vegas, Houston, Atlanta, DC, Los Angeles, and Philadelphia. > > http://www.baruch.cuny.edu/nycdata/chapter09_files/sheet002.htm > > I refuse to go to NANOG events in Florida - now there is a dangerous > place as well as a foreign country ... Interesting data, but potentially skewed due to population differences. New York City's metropolitan area population is 18,818,536, whereas Miami is only 5,919,036. Miami: 7116.2 per 100,000 = 0.071162 crimes per person 0.071162 * 5919036 = 421,210.44 crimes NYC:2771.0 per 100,000 = 0.02771 crimes per person 0.02771 * 18818536 = 521,461.63 crimes So it's not really that there is less crime, there's just less chance of a particular person being the perpetrator or victim. Also, my population numbers are based on 2006 data provided by Wikipedia, and therefore are not to be trusted. -- Chip Marshall System Administrator Dynamic Network Services, Inc. http://www.dyndns.com/ signature.asc Description: Digital signature
