anyone from cisco.com DNS Team around?

[Thomas Mieslinger]

Hi,

I have trouble to activate my Cisco NCS5xxx Devices.

Turns out that tools.cisco.com. resolves to either 173.37.145.8 (this
works) or 72.163.4.38 (which was decommissioned earlier this year).

By running

dig A tools.cisco.com @alln01-ucs-dcz03n-gslb1-snip.cisco.com

four times I can reproduce this.

Cisco, please fix your DNS.

Thanks Thomas

Re: TFTP over anycast

[Thomas Mieslinger]

I do NTP, DHCP, TFTP, DNS, HTTP anycast.

NTP, DNS and HTTP with ECMP, TFTP and DHCP as active/active on a per
Datacenter Basis.

These are small Datacenters with less than 50k Servers each.

In every datacenter an anycast node is active and the router just
chooses the shortest path.

It becomes tricky for DHCP if a location has the same cost to more than
one anycast Node. For this case we have setup a DHCP nodes in two
datacenters using different local-preferences to simulate a failover
active/passive setup.

Cheers
Thomas

Am 22.02.24 um 19:47 schrieb Javier Gutierrez:

Hi,
I'm working on some DR design and we want to not only have this site as
a DR but also performing some active/active for some of the services we
hosts and I was wondering if someone had some experience with using
anycast for TFTP or DHCP services?
What are some of the pains/challenges you experienced and things we
should lookout for?

Any input is greatly appreciated.

Kind regards,

*Javier Gutierrez*

Re: IP tracking system

[Thomas Mieslinger]

Am 15.12.21 um 19:22 schrieb Rich Greenwood via NANOG:

On Wed, Dec 15, 2021 at 4:00 AM mailto:nanog-requ...@nanog.org>> wrote:

From: Mauricio Rodriguez mailto:mrodrig...@fletnet.com>>

This one seems to be popular and complete: https://phpipam.net/
.


We use phpipam and like it.   It integrates nicely with PowerDNS also,
so you can manage your DNS while you manage your IPs.
--Rich


We're using (and extending) DIM (DNS and IP Management)
github.com/1and1/dim written in python. The most important feature to my
colleagues and me is the cli.

--Thomas

Re: NXDOMAIN Resolvers

[Thomas Mieslinger]

There are public and commercial offerings for "DNS based protection".

e.g. 9.9.9.9 automatically generates NXDomains for suspected malicious
DNS Names even in their free service.

They have a page where you can check if you have been blacklisted (see
https://www.quad9.net/de/result)


On 4/20/22 11:07, Antonia Affinito wrote:

Good morning,
I am currently analysing the DNS resolvers (local and public ones) in
terms of protection and performance (in particular their speed).
I noticed that, in case of a malicious domain name, some local resolvers
send an NXDOMAIN and others a courtesy page address. Do you know if the
resolvers (for example TIM, Wind or Fastweb) can return an NXDomain in
order to protect their clients?

Thanks a lot


Mail priva di virus. www.avast.com



<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

ns1-proddns.glbdns.o365filtering.com unreachable?

[Thomas Mieslinger]

Anyone else with trouble to reach the *.o365filtering.com DNS Servers?

Re: a quick survey about LLDP and similar

[Thomas Mieslinger]

A little more on the "it depends"

switches connected to end-user/customer gear: never ever.

switch to switch, switch to router interfaces: yes, to validate cabling 
and resolve problems as quickly as possible.


switch to server interfaces: only to servers of teams you can trust. 
temporarily enable to untrusted teams if you'd need to order remote 
hands to lookup the exact cabling in case of problems.


Thomas

On 2/28/19 10:27 AM, Owen DeLong wrote:

The problem with your survey is that there’s no option to answer “it depends”.

Hard yes or no answers aren’t realistic to the questions you’re asking because 
the context,
security parameters, sensitivity, and other parameters about the network all 
factor into a
decision whether to run or not run such protocols.

There are some environments where the benefit and convenience is moderately high
and the risk is extremely low. There are other environments where the benefit 
is relatively
low, but the risks are significantly higher.

Owen



On Feb 28, 2019, at 01:00 , Pierfrancesco Caci  wrote:


Hello,
having a bit of a debate in my team about turning on LLDP and/or CDP.
I would appreciate if you could spend a minute answering this
survey so I have some numbers to back up my reasoning, or to accept
defeat.

https://www.surveymonkey.com/r/TH3WCWP

Feel free to cross-post to other relevant lists.

Thank you

Pf

--
Pierfrancesco Caci, ik5pvx

someone from easydns here? dns3.easydns.org. 2620:49:3::10 unreachable from AS8560 and 6939

[Thomas Mieslinger]

Hi,

can someone operating easydns nameserver check whether 2620:49:3::10 is 
answering?


I create a atlas measurement

https://atlas.ripe.net/measurements/10137819

and I can see that some AS still can reach 2620:49:3::10 but many many 
timeouts. For me, it stops working after 2a00:dd80:9:3::2 (AS42210)


Cheers

Thomas