Mailing List Archive

On May 11, 2009, at 2:48 PM, ChrisSerafin wrote:

> I have multiple clients and problems internally using 4.2.2.2 and
> 4.2.2.1 for DNS. My Nagios server was using these as well and has
> been throwing false postives since 5-8-2009.....
>
> Anyone else having problems?....

Works here.

However, we are downstream of Level 3 / as3356. I heard a rumor they
ACL'ed queries from sources outside their downstream cone.

--
TTFN,
patrick

I should clarify they work fine sometimes, so they are not down, but
flapping......


ChrisSerafin wrote:
> I have multiple clients and problems internally using 4.2.2.2 and
> 4.2.2.1 for DNS. My Nagios server was using these as well and has been
> throwing false postives since 5-8-2009.....
>
> Anyone else having problems?....
>
>
> --chris
> _______________________________________________
> outages mailing list
> outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.325 / Virus Database: 270.12.24/2108 - Release Date: 05/11/09 05:52:00
>
>

I can report that the 4.2.2.x DNS servers have been unreliable and
almost unusable for a few days from one location I maintain. I'm
guessing they've grown tired of being the free-for-all recursive DNS
servers of choice.

Matt Whitted
Hosting Director

--
Pantek, Inc. - http://www.pantek.com/ - info at pantek.com
+1-877-LINUX-FIX - Expert Open Source Technical Support
2008 Inductee to the prestigious Weatherhead 100

Patrick W. Gilmore wrote:
> On May 11, 2009, at 2:48 PM, ChrisSerafin wrote:
>
>> I have multiple clients and problems internally using 4.2.2.2 and
>> 4.2.2.1 for DNS. My Nagios server was using these as well and has been
>> throwing false postives since 5-8-2009.....
>>
>> Anyone else having problems?....
>
> Works here.
>
> However, we are downstream of Level 3 / as3356. I heard a rumor they
> ACL'ed queries from sources outside their downstream cone.
>

On Mon, May 11, 2009 at 01:48:54PM -0500, ChrisSerafin wrote:
> I have multiple clients and problems internally using 4.2.2.2 and
> 4.2.2.1 for DNS. My Nagios server was using these as well and has been
> throwing false postives since 5-8-2009.....
>
> Anyone else having problems?....

I assume no one took the time to explain to you that using either
of the Level 3 public recursive nameservers for long-term use is
considered rude and can possibly get you blocked from using them?

Please consider running your own caching nameserver, use your uplink
provider's DNS servers, or both (caching nameserver + forwarders
feature).

Both 4.2.2.1 and 4.2.2.2 behave fine, tested from 4 different physical
locations (two regions in northern California, Arizona, and Virginia):

$ dig @4.2.2.1 a www.google.com.

; <<>> DiG 9.4.3-P2 <<>> @4.2.2.1 a www.google.com.
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60360
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 16742 IN CNAME www.l.google.com.
www.l.google.com. 21 IN A 74.125.155.147
www.l.google.com. 21 IN A 74.125.155.99
www.l.google.com. 21 IN A 74.125.155.103
www.l.google.com. 21 IN A 74.125.155.104

--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |

I have also been told that Level 3 was starting to ACL these off, so if your
connections are load balanced to where the route to these servers is
sometimes via Level 3 and sometimes not, that could be your issue.

Also while these servers have been around for some time and are great to use
in a pinch or for testing, they are not officially supported servers and are
not what Level 3 would ever give a direct customer to use, so you should
generally avoid using them for anything production, especially without other
resolvers in your list.

-Scott

-----Original Message-----
From: outages-bounces@outages.org [mailto:outages-bounces@outages.org] On
Behalf Of ChrisSerafin
Sent: Monday, May 11, 2009 3:09 PM
To: outages at outages.org
Subject: Re: [outages] 4.2.2.x DNS?

I should clarify they work fine sometimes, so they are not down, but
flapping......


ChrisSerafin wrote:
> I have multiple clients and problems internally using 4.2.2.2 and
> 4.2.2.1 for DNS. My Nagios server was using these as well and has been
> throwing false postives since 5-8-2009.....
>
> Anyone else having problems?....
>
>
> --chris
> _______________________________________________
> outages mailing list
> outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.325 / Virus Database: 270.12.24/2108 - Release Date: 05/11/09
05:52:00
>
>

_______________________________________________
outages mailing list
outages at outages.org
https://puck.nether.net/mailman/listinfo/outages

Patrick W. Gilmore wrote:
> Works here.
>
> However, we are downstream of Level 3 / as3356. I heard a rumor they
> ACL'ed queries from sources outside their downstream cone.

Based on some (relatively unscientific) experimentation, this does
appear to be true. From sources that reach 4.2.2.1 via what appear to
be peering links (such as an XO / Level(3) interconnect) queries time
out, while sources that reach 4.2.2.1 via what appear to be transit
links have no problems with consistent resolution.

I can't really blame them, as a) open recursive DNS servers are rife for
DNS amplification abuse, and b) this must be an enormous resource
consumer for them. Probably a boon for OpenDNS and any others in the
open/semi-open resolver space.

Regards,
Tim

--
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/

Tim Wilde wrote:
> Patrick W. Gilmore wrote:
>> Works here.
>>
>> However, we are downstream of Level 3 / as3356. I heard a rumor they
>> ACL'ed queries from sources outside their downstream cone.
>
> Based on some (relatively unscientific) experimentation, this does
> appear to be true. From sources that reach 4.2.2.1 via what appear to
> be peering links (such as an XO / Level(3) interconnect) queries time
> out, while sources that reach 4.2.2.1 via what appear to be transit
> links have no problems with consistent resolution.
>
> I can't really blame them, as a) open recursive DNS servers are rife for
> DNS amplification abuse, and b) this must be an enormous resource
> consumer for them. Probably a boon for OpenDNS and any others in the
> open/semi-open resolver space.
>

Just to throw some unscientific information in the mix, I can query them
from AS11170 downstream of Sprint (best path) and SAVVIS. Only did two
queries though, so it's not a good reliability test. ;)

~Seth

----- "Scott Berkman" <scott at sberkman.net> wrote:
> Also while these servers have been around for some time and are great
> to use in a pinch or for testing, they are not officially supported servers
> and are not what Level 3 would ever give a direct customer to use, so you
> should generally avoid using them for anything production, especially without
> other resolvers in your list.

Configuring anycast isn't the easiest thing to do; if they're *not*
"officially supported" even for L3 customers (which, happily, I am), then why
*do* the still operate them? Cause they have the coolest IP addresses on
the Internet?

Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274

Start a man a fire, and he'll be warm all night.
Set a man on fire, and he'll be warm for the rest of his life.

On Mon, May 11, 2009 at 03:55:18PM -0400, Jay R. Ashworth wrote:
> ----- "Scott Berkman" <scott at sberkman.net> wrote:
> > Also while these servers have been around for some time and are great
> > to use in a pinch or for testing, they are not officially supported servers
> > and are not what Level 3 would ever give a direct customer to use, so you
> > should generally avoid using them for anything production, especially without
> > other resolvers in your list.
>
> Configuring anycast isn't the easiest thing to do; if they're *not*
> "officially supported" even for L3 customers (which, happily, I am), then why
> *do* the still operate them? Cause they have the coolest IP addresses on
> the Internet?
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth Baylink jra at baylink.com
> Designer The Things I Think RFC 2100
> Ashworth & Associates http://baylink.pitas.com '87 e24
> St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
>
> Start a man a fire, and he'll be warm all night.
> Set a man on fire, and he'll be warm for the rest of his life.
> _______________________________________________
> outages mailing list
> outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/outages/attachments/20090511/785e6166/attachment.bin>

Which is why everyone I know uses them, and they have to be the single
biggest self inflicted point of failure on the net!


Jay R. Ashworth wrote:
> ----- "Scott Berkman" <scott at sberkman.net> wrote:
>
>> Also while these servers have been around for some time and are great
>> to use in a pinch or for testing, they are not officially supported servers
>> and are not what Level 3 would ever give a direct customer to use, so you
>> should generally avoid using them for anything production, especially without
>> other resolvers in your list.
>>
>
> Configuring anycast isn't the easiest thing to do; if they're *not*
> "officially supported" even for L3 customers (which, happily, I am), then why
> *do* the still operate them? Cause they have the coolest IP addresses on
> the Internet?
>
> Cheers,
> -- jra
>
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.325 / Virus Database: 270.12.24/2108 - Release Date: 05/11/09 05:52:00
>
>

----- "ChrisSerafin" <chris at chrisserafin.com> wrote:
> > Cause they have the coolest IP addresses on the Internet?

> Which is why everyone I know uses them, and they have to be the single
> biggest self inflicted point of failure on the net!

Well, nowhere is it written that you can't anycast those particular 6 IPs to
*your own* network's resolver servers, is it now? :-)

Cheers,
-- jr 'yeah, I know it's evil, but it's a special case' a
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274

Start a man a fire, and he'll be warm all night.
Set a man on fire, and he'll be warm for the rest of his life.

On May 11, 2009, at 4:36 PM, ChrisSerafin wrote:

> Which is why everyone I know uses them, and they have to be the
> single biggest self inflicted point of failure on the net!

If by 'self inflicted' you mean "I used their resources without asking
or permission, and now they took those resources away making me fail",
then we agree.

BTW, setting up anycast NSes is trivial. And Jay knows this. :)

--
TTFN,
patrick



> Jay R. Ashworth wrote:
>> ----- "Scott Berkman" <scott at sberkman.net> wrote:
>>
>>> Also while these servers have been around for some time and are
>>> great
>>> to use in a pinch or for testing, they are not officially
>>> supported servers
>>> and are not what Level 3 would ever give a direct customer to use,
>>> so you
>>> should generally avoid using them for anything production,
>>> especially without
>>> other resolvers in your list.
>>>
>>
>> Configuring anycast isn't the easiest thing to do; if they're *not*
>> "officially supported" even for L3 customers (which, happily, I
>> am), then why
>> *do* the still operate them? Cause they have the coolest IP
>> addresses on the Internet?
>>
>> Cheers,
>> -- jra
>>
>> ------------------------------------------------------------------------
>>
>>
>> No virus found in this incoming message.
>> Checked by AVG - www.avg.com Version: 8.5.325 / Virus Database:
>> 270.12.24/2108 - Release Date: 05/11/09 05:52:00
>>
>>
>
> _______________________________________________
> outages mailing list
> outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages
>

On May 11, 2009, at 4:49 PM, Jay R. Ashworth wrote:
> ----- "ChrisSerafin" <chris at chrisserafin.com> wrote:
>>> Cause they have the coolest IP addresses on the Internet?
>
>> Which is why everyone I know uses them, and they have to be the
>> single
>> biggest self inflicted point of failure on the net!
>
> Well, nowhere is it written that you can't anycast those particular
> 6 IPs to
> *your own* network's resolver servers, is it now? :-)

I don't know, isn't it written somewhere "thou shalt not use my IP
space for your own equipment"?


> -- jr 'yeah, I know it's evil, but it's a special case' a

I'm sure everyone who does something evil thinks that. :)

--
TTFN,
patrick

On Mon, 11 May 2009 15:36:40 CDT, ChrisSerafin said:
> Which is why everyone I know uses them, and they have to be the single
> biggest self inflicted point of failure on the net!

L3 took a hint from Randy Bush and encourages their competitors to....

No, it's just too easy, like shooting fish in a barrel. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/outages/attachments/20090512/dbd19681/attachment.bin>