Send sanog mailing list submissions to sanog@sanog.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.sanog.org/mailman/listinfo/sanog or, via email, send a message with subject or body 'help' to sanog-requ...@sanog.org
You can reach the person managing the list at sanog-ow...@sanog.org When replying, please edit your Subject line so it is more specific than "Re: Contents of sanog digest..." Today's Topics: 1. Fwd: Bad firewall/nameserver behaviour causing timeouts of DNS queries. (Suresh Ramasubramanian) ---------------------------------------------------------------------- Message: 1 Date: Wed, 22 Jun 2016 12:03:25 +0530 From: Suresh Ramasubramanian <sur...@hserus.net> To: "mail=sanog@sanog. org" <sanog@sanog.org> Subject: [SANOG] Fwd: Bad firewall/nameserver behaviour causing timeouts of DNS queries. Message-ID: <1a4046de-0a53-48a9-bc61-945a1b69d...@hserus.net> Content-Type: text/plain; charset=us-ascii Quite a few apac based dns servers here including several in India. > Begin forwarded message: > > From: Mark Andrews <ma...@isc.org> > Subject: Bad firewall/nameserver behaviour causing timeouts of DNS queries. > Date: 22 June 2016 at 11:47:57 AM IST > To: na...@nanog.org > > > The following nameservers for Alexa top 1M names fail to respond > to EDNS queries with EDNS options specified or fail to respond to > consecutive EDNS queries. These have been run through the checks > multiple times to reduce the probability of false positives as > timeout can be the due to multiple causes. > > For many there are other errors that should also be addressed. > > This misbehaviour can cause DNSSEC validation to FAIL when the > servers serve signed zones. > > This misbehaviour does result in significantly slower DNS resolution > (multiple seconds). > > You can test your servers at https://ednscomp.isc.org/ > > This is sent here because both SOA and whois contact details are > wrong too often to bother trying to send to these addresses even > if whois was easy to parse. > > Please fix your firewalls / nameservers as they are causing operational > problems. > > Mark > > lb.pagofacil.com.ar lb.pagofacil.com.ar lb.pagofacil.com.ar > server.inet.edu.ar siet.inet.edu.ar ns2.pillar.com.au ns1.agric.wa.gov.au > ns2.agric.wa.gov.au ns3.agric.wa.gov.au ns1.win.be ns2.win.be > ns.ahlia.edu.bh lb3.ache.com.br ns2.bibliomed.com.br > ns3.caixaseguros.com.br sdccd01.light.com.br ns1.poupex.com.br > ns3.poupex.com.br ns1.semparar.com.br ns2.semparar.com.br > creaprw12.crea-pr.org.br dns5.allstate.ca ns1.bellnhs.ca ns3.bellnhs.ca > ns5.bellnhs.ca ns1.cpr.ca ns2.cpr.ca ns1.cnsc-ccsn.gc.ca > ns2.cnsc-ccsn.gc.ca ns1.knowledgeone.ca ns2.knowledgeone.ca ns3.mmms.ca > gemini.hrsb.ns.ca ns.city.windsor.on.ca ns2.city.windsor.on.ca > ns1.thomascookgroup.ca ns2.thomascookgroup.ca ns1.bger.ch ns2.bger.ch > dn2.1.cl ns.autopistacentral.cl peumo.bancoconsorcio.cl > roble.bancoconsorcio.cl dns.bci.cl dns2.bci.cl ns.subtel.cl > nsaut.tie.cl ns2.sina.com.cn name.srit.com.cn dns.hncj.edu.cn > dns2.hncj.edu.cn dns.hut.edu.cn dns2.hut.edu.cn dns.jju.edu.cn > dns.lit.edu.cn dns.by.gov.cn dns2.gxeea.cn ns1.coscologistics.sh.cn > ariadne.presidencia.gov.co bdpalacio.presidencia.gov.co ns3.360safe.com > ns4.360safe.com ns5.360safe.com ns2.51dns.com ns8.91989.com > ns9.91989.com ns1.advisorlynx.com ns2.advisorlynx.com ns1.aegis-k.com > ns2.aegis-k.com ns1.affinity-petcare.com ns01.airliquide.com > ns03.airliquide.com ns1.alidns.com ns1.alidns.com ns2.alidns.com > ns2.alidns.com ns2.alidns.com vip1.alidns.com vip1.alidns.com > vip1.alidns.com vip1.alidns.com vip1.alidns.com vip1.alidns.com > vip2.alidns.com vip2.alidns.com vip2.alidns.com vip2.alidns.com > vip2.alidns.com vip2.alidns.com vip2.alidns.com ns1.amaes.com > ns2.amaes.com ns1.amatteroffax.com ns3.amvescap.com ns5.amvescap.com > ns1.arcatapet.com office.arcatapet.com pridns.ascendas.com > ns01.avanade.com ns02.avanade.com ns2.avastkorea.com det.dns.bbdo.com > ns1.bcbsmn.com ns2.bcbsmn.com harris-ns.bcharrispub.com > harris-ns2.bcharrispub.com bor-cp01.borouge.com bvdns.broadviewnet.com > bvdns2.broadviewnet.com ns5.carbonlogic.com ns2.ccmnyc.com > ns1.cmsbiztech.com ns1.corsicaferries.com ns3.corsicaferries.com > ns4.corsicaferries.com ns1.credibanco.com ns2.credibanco.com > cscdnscph002d.csc.com cscdnshyd002d.csc.com cscdnsklm002d.csc.com > cscdnsmds002d.csc.com cscdnsnoi002d.csc.com cscdnssng002d.csc.com > palladium.csc.com wserver.cyberdental.com webmail.dbfsindia.com > ns1.deseretdigital.com ns2.deseretdigital.com huey.disney.com > huey11.disney.com a.dnspod.com a.dnspod.com c.dnspod.com c.dnspod.com > ns1.dnsv2.com ns1.dnsv2.com ns1.dnsv2.com ns1.dnsv2.com ns1.dnsv2.com > ns2.dnsv2.com ns2.dnsv2.com ns2.dnsv2.com ns2.dnsv2.com ns1.dnsv3.com > ns1.dnsv3.com ns1.dnsv3.com ns1.dnsv3.com ns1.dnsv3.com ns1.dnsv3.com > ns2.dnsv3.com ns2.dnsv3.com ns1.dnsv4.com ns1.dnsv4.com ns1.dnsv4.com > ns1.dnsv4.com ns1.dnsv4.com ns2.dnsv4.com ns2.dnsv4.com ns2.dnsv4.com > ns2.dnsv4.com ns2.dnsv4.com ns2.dnsv4.com ns2.dnsv4.com ns1.dnsv5.com > ns1.dnsv5.com ns1.dnsv5.com ns1.dnsv5.com ns1.dnsv5.com ns1.dnsv5.com > ns1.dnsv5.com ns1.dnsv5.com ns1.dnsv5.com ns2.dnsv5.com ns2.dnsv5.com > ns2.dnsv5.com ns2.dnsv5.com ns2.dnsv5.com ns2.dnsv5.com ns2.dnsv5.com > ns2.dnsv5.com ns2.dnsv5.com ns03.dominos.com ns04.dominos.com > ns05.dominos.com ns1.dynalifedx.com ns1.dynamex.com ns2.dynamex.com > name1.eidebailly.com name2.eidebailly.com ns1.evaair.com ns2.evaair.com > ns3.evaair.com ns4.evaair.com ns.excodaegu.com ns.fanforum.com > ns1.fanforum.com leo.generator.com ns1.gesnetwork.com > ns01.globalexchangetechnology.com ns02.globalexchangetechnology.com > gtmgrin.gmrc.com gtmnew.gmrc.com ns3.gmrc.com ns4.gmrc.com > ns2.greensburgdailynews.com dns.heffel.com dns1.hichina.com > dns1.hichina.com dns1.hichina.com dns10.hichina.com dns10.hichina.com > dns10.hichina.com dns11.hichina.com dns11.hichina.com dns11.hichina.com > dns13.hichina.com dns13.hichina.com dns13.hichina.com dns14.hichina.com > dns14.hichina.com dns14.hichina.com dns17.hichina.com dns17.hichina.com > dns18.hichina.com dns18.hichina.com dns2.hichina.com dns2.hichina.com > dns21.hichina.com dns21.hichina.com dns21.hichina.com dns22.hichina.com > dns22.hichina.com dns22.hichina.com dns25.hichina.com dns25.hichina.com > dns25.hichina.com dns26.hichina.com dns26.hichina.com dns26.hichina.com > dns29.hichina.com dns29.hichina.com dns29.hichina.com dns30.hichina.com > dns30.hichina.com dns30.hichina.com expirens3.hichina.com > expirens4.hichina.com ns1.hichina.com ns1.hichina.com ns1.hichina.com > ns2.hichina.com ns2.hichina.com ns2.hichina.com dns-na-1.hill-rom.com > dns-na-2.hill-rom.com dns-na-3.hill-rom.com dns5.hkinventory.com > ns2.webhost.hm-software.com ns1.hotelbb.com ns10.huntington.com > ns11.huntington.com ns12.huntington.com ns13.huntington.com ns.ied.com > dns3.ifrontiers.com ns2.illumen.com ns1.inet-svcs.com ns2.inet-svcs.com > ns4a.inet-web.com ukdns.integralis.com dns3.integramed.com > ns2.jaxsheriff.com dns1.k-line.com ns1.kds.com ns2.kds.com > dns2.kline.com ns.krunis.com ns.kumkang.com labattdns2.labattfood.com > ns3.lallemand.com ns4.lallemand.com ns5.lfg.com ns6.lfg.com > gltb-ns1.srv.lukoil.com gltb-ns2.srv.lukoil.com mbsii2.mbsii.com > fox2.mightyautoparts.com ftp.munichreamerica.com dns2.mysteel.com > ns1.nameaction.com ns2.nameaction.com ns2.namesv.com dns.neovi.com > ns3.nextsite.com ns1.nhimidwest.com oss.oss.com ns1.page-az.com > capital1.pantavanij.com slmns1.paymentech.com tamns1.paymentech.com > webserver.pcgitaly.com ah-ns.plex.com dv-ns.plex.com mail.ppe.com > w5.ppe.com ns.procuebynet.com ns2.project-la.com ns4.regalhotel.com > ns1lo6.reutersmedia.reuters.com ns1nj.reutersmedia.reuters.com > ns2lo6.reutersmedia.reuters.com ns2nj.reutersmedia.reuters.com > ns1.samudera.com southern1.scsnet.com southern2.scsnet.com > ns4.seacomnet.com lp1000r-10194.admin.sfhs.com dns1.shift4.com > dns2.shift4.com gtm.shlegal.com skyserver.skycode.com smans1.smaportal.com > vm01.splendidlive.com ns1.sterling-intl.com ns2.sterling-intl.com > ns1.techdev.com ns2.techdev.com dns1.teldat.com dnsserver.teldat.com > mx1.telmar.com ns1.thronecomputer.com ns03.toolwire.com ns04.toolwire.com > ns0.topgayblacksites.com ns1.tranguard.com ns3.tranguard.com > ns2.travelbrands.com cloud3.triara.com ns1.twglobalmall.com > jinx.ucbiz.com ns1.urix.com ns2.urix.com nschs.virgin-atlantic.com > nsrhl.virgin-atlantic.com ns2.welcodns.com bri-ns01.wiley.com > ns1.williams.com ns2.williams.com ns1.wiredviews.com web.wlio.com > ns1.yourmortgageonline.com ns2.yourmortgageonline.com dns3.zeleris.com > ns3.bccr.fi.cr ns4.bccr.fi.cr ns1.network.cr ns2.network.cr > aragorn.autocont.cz ns.forpsi.cz ns.profireal.cz ns2.profireal.cz > ns1.euv-frankfurt-o.de ns2.euv-frankfurt-o.de dns.ipsos.de > ns1.suedkurier.de ns2.suedkurier-medienhaus.de dns.webtop.de > dnskm.univ-km.dz lomanegra.jardinazuayo.fin.ec ns1.amberton.edu > ns1.contracosta.edu ns1.gptc.edu ns1.malone.edu ns2.malone.edu > ns5.regent.edu ns.sabanciuniv.edu ns2.sabanciuniv.edu muser252.scciowa.edu > ns2.sidwell.edu dns.dpz.es ns2.interdigital.es crea.rae.es ns9.rae.es > dns.registromercantilbcn.es ns2.tko.fi nimi1.website.fi nimi2.website.fi > antares.c-strasbourg.fr erlwbi.interflora.fr > proxy1-rech.univ-valenciennes.fr pulsar.univ-valenciennes.fr > titan.univ-valenciennes.fr ns1.hamiltontn.gov rembrandt.masoutis.gr > gslb1.tigo.com.gt gslb2.tigo.com.gt ns2.adsale.com.hk ns1.skhsslmc.edu.hk > dns.matica.hr dns.plavalaguna.hr dante.univet.hu ns1.dnk.net.id > ns1.lgcsb.ie ns2.lgcsb.ie ns1.modata.ie ns1.nethost.co.il > ns2.nethost.co.il jbs.ac.in pdns.sit.ac.in ns1.axisbank.co.in > ns1.tmc.gov.in ns2.tmc.gov.in ns1.teri.res.in ns2.teri.res.in > ns1.idro.ir ns2.idro.ir ns1.isipo.ir ns1.audit.org.ir ns1.imo.org.ir > dns.biesse.it dns.careca.it sct2.carontetourist.it dns.cpsoftware.it > ns2.invisiblesite.it alfaterna.nuceria.it ns.sevenlab.it dns.gtt.torino.it > cap.tuins.ac.jp dns-x.sinet.ad.jp dns2.aoshima-bk.co.jp ns.kew.co.jp > juno.ntt-itn.co.jp vesta.ntt-itn.co.jp ns.santec.co.jp > ns.toshiba-carrier.co.jp dns.mcinc.jp ns.hkr.ne.jp dns1.jcc.ne.jp > ns01.netcoms.ne.jp ns.netsjapan.jp ns2.awa.or.jp lbdn.occto.or.jp > lbdn2.occto.or.jp july.river.sun-inet.or.jp sakura.unep.or.jp > pbant2.pba.jp pbant2.pba.jp dns2.ysu.ac.kr ns.carz.co.kr > astra02.coreana.co.kr ns.kcm.co.kr ns.zakon.kz ns1.customs.gov.lk > ns1.sliit.lk relay.cail.lu dns3.bkam.ma smtp-dns.douane.gov.ma > dns1.onssa.gov.ma dns.dicj.gov.mo dns0.anahuac.mx dns1.anahuac.mx > ns1.atento.com.mx dns1.hdi.com.mx ns2.hdi.com.mx dns.segurosatlas.com.mx > ns1.tvsa.com.mx dca.cu.uabjo.mx ns.uabjo.mx aldebaran.2m-equation.net > ns2.a-o-b.net ns.access-accounts.net ns2.autodata.net mail.brtk.net > ns2.cengage.net dnssdc.dagangnet.net ns1.digitalimpact.net > ns2.digitalimpact.net bizcn1.dnspod.net bizcn1.dnspod.net > bizcn1.dnspod.net bizcn1.dnspod.net bizcn2.dnspod.net bizcn2.dnspod.net > dns12.duckwood.net dns20.duckwood.net ns1.ecolon.net ns1.ecsd.net > cobra.endless.net cebudns.epldt.net enyo2.ez2.net ns.forpsi.net > pro2.gfdns.net dns1.hemsida.net ns1.host-web.net dns2.hostingsolutions.net > ns1.knibs.net dev.labellum.net dns01.mathbox.net ns1.netlinksys.net > ns30.netsupport.net ns2.oxi.net ns3.pasporte.net ns4.pasporte.net > ns01.reyrey.net ns02.reyrey.net ns2.rj2t.net ns1.safetyhost.net > dns1.sge.net dns2.sge.net dns3.sge.net dns4.sge.net ns.telanet.net > ns-amers-1.thomsonreuters.net ns-amers-2.thomsonreuters.net > ns-apac-1.thomsonreuters.net ns-apac-2.thomsonreuters.net > ns-emea-1.thomsonreuters.net ns-emea-2.thomsonreuters.net ns4.traddns.net > ns1.vologic.net ns2.vologic.net ns6.wgn.net ns3.xodeportal.net > ns4.xodeportal.net ss-ns02.infocare.no ns01.prioritytelecom.no > ns1.spsor.no ns2.spsor.no ns.freightways.co.nz dns1.clear.net.nz > dns2.clear.net.nz kirsty.paradise.net.nz rachel.paradise.net.nz > ns1.abp.org mc-dc-gtm1.act.org mc-dc-gtm2.act.org ns1.ecusd7.org > ns1.jaxsheriff.org ns2.jcboe.org dc1gtm01.mercywny.org > dc2gtm01.mercywny.org dns1.mkcl.org ns1.mozilla.org trl-dns1.tricore.org > reinberger.wrhs.org dns1.dge.gob.pe ns1.asiaunited.com.ph > ns1.asiaunited.com.ph ns2.asiaunited.com.ph ns2.aub.com.ph > ns1.cityschoolnetwork.edu.pk ns0.bdm.com.pl ns2.am.szczecin.pl > ns.aip.pt anje01.anje.pt ns2.drealentejo.pt ns3.drealentejo.pt > ns1.ipad.mne.gov.pt farolim.min-edu.pt ns1.qiib.com.qa ns2.qiib.com.qa > ns1.mfinante.ro ns2.mfinante.ro ns2.550550.ru ns2.croc.ru ns1.izh.ru > ns2.izh.ru ns01.nakolesah.ru ns1.primbank.ru ns2.primbank.ru > santa.veb.ru ns.securityservice.se pridns.dlink.com.sg pridns.stee.com.sg > secdns.stee.com.sg merlion.iseas.edu.sg merlion2.iseas.edu.sg > ns.aktifbank.com.tr ns.mngturizm.com.tr ns1.sarar.com.tr ns2.sarar.com.tr > ns.kepez-bld.gov.tr inter-dns.mfa.gov.tr inter2-dns.mfa.gov.tr > ns10.is.net.tr ns3.is.net.tr istasr.isbank.net.tr alfa.atso.org.tr > beta.atso.org.tr cmgcdns.china-motor.com.tw ns1.clco.com.tw > dnsc.credit.com.tw dns2.fullon-hotels.com.tw dns1.gigatms.com.tw > dns1.him.com.tw dns1.himax.com.tw dns2.himax.com.tw sunntb.infiniti.com.tw > dns.investor.com.tw dns1.krtco.com.tw dns2.krtco.com.tw > ns1.luxgen-motor.com.tw ns2.luxgen-motor.com.tw idc-dns1.megasec.com.tw > dns.scsb.com.tw dns1.tkbtv.com.tw ymtadc01.yamaha-motor.com.tw > ymtadc02.yamaha-motor.com.tw acts.pct.org.tw lcotextdns.leeds-lcot.ac.uk > unixa.nerc-swindon.ac.uk muppet.s-cheshire.ac.uk ns2.uxbridge.ac.uk > ns1.skipton.co.uk ns2.skipton.co.uk ns2.smartkonect.co.uk > ns-f5-01.spicerhaart.co.uk ns-f5-02.spicerhaart.co.uk > smodns01.hackney.gov.uk ns.forpsi.us dl9rv21.ldol.state.la.us > ns1.mcps.k12.md.us ns2.mcps.k12.md.us ns1.pacourts.us ns2.pacourts.us > dns1.pittcounty.us dns2.pittcounty.us cronos.scotiabank.com.uy > hestia.scotiabank.com.uy cedns.corteelectoral.gub.uy lancelot.dgr.gub.uy > ingenio03.latu.org.uy dns1.hnue.edu.vn > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > ------- End of Forwarded Message ------------------------------ _______________________________________________ sanog mailing list sanog@sanog.org https://lists.sanog.org/mailman/listinfo/sanog End of sanog Digest, Vol 53, Issue 2 ************************************