Re: Curious Cloudflare DNS behavior

[Joe Greco]

On Sun, May 31, 2020 at 10:07:41AM -0600, Keith Medcalf wrote:
> On Saturday, 30 May, 2020 13:18, Joe Greco  wrote:
> 
> >The Internet didn't evolve in the way its designers expected.  Early
> >mistakes and errors required terrible remediation.  As an example, look
> >at the difficulty involved in running a service like e-mail or DNS.
> >E-mail requires all sorts of things to interoperate well, including
> SPF,
> >DKIM, SSL, DNSBL's, etc., etc., and it is a complicated service to run
> >self-hosted.  DNS is only somewhat better, with the complexity of
> DNSSEC
> >and other recent developments making for more difficulties in
> maintaining
> >self-hosted services.
> 
> I've been running my own DNS and e-mail for more than a quarter century.
> Contrary to your proposition it hasn't gotten much more complicated over
> than time.

Really?  Because nowadays, there's all this extra crap that didn't used
to exist. 

>From my perspective, it's gone from "configure Sendmail on your Sun
workstation and compile Elm (back in the '80's)" to something a lot more
complicated.

Now you need to sign your mail with DKIM, have SPF records, and even if
you cross all the T's and dot all the I's, you can expect your mail to be
rejected at some major mail sites because the LACK of a consistent high
volume of mail being sent by your site is actually scored against you. 
On the inbound side, you now need to be filtering your mail with 
Spamassassin and DNSBL's, and also virus scanners because it's likely
some of your users won't be.  You need to support both IMAP _and_ webmail
if you want to be able to support users, because we are now in that
"post-PC" era where people expect to be able to sit down at an arbitrary
PC and have an experience on par with that of any of the mail service
providers.

I've watched in dismay as many technically competent sysadmins, and even
whole service providers, have given up and outsourced e-mail, because
it is so difficult to do well.  Even Apple finally ditched their
OSX Server product's email services, which had for years been one of
my best examples of "it's still possible to run this yourself."

If this is your idea of "hasn't gotten much more complicated", I salute
your technical prowess.  It's not that I want this to be the status quo,
but I'm also not so blind as to deny what is going on.  :-(

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"The strain of anti-intellectualism has been a constant thread winding its way
through our political and cultural life, nurtured by the false notion that
democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov

RE: Curious Cloudflare DNS behavior

[Keith Medcalf]

On Saturday, 30 May, 2020 13:18, Joe Greco  wrote:

>The Internet didn't evolve in the way its designers expected.  Early
>mistakes and errors required terrible remediation.  As an example, look
>at the difficulty involved in running a service like e-mail or DNS.
>E-mail requires all sorts of things to interoperate well, including
SPF,
>DKIM, SSL, DNSBL's, etc., etc., and it is a complicated service to run
>self-hosted.  DNS is only somewhat better, with the complexity of
DNSSEC
>and other recent developments making for more difficulties in
maintaining
>self-hosted services.

I've been running my own DNS and e-mail for more than a quarter century.
Contrary to your proposition it hasn't gotten much more complicated over
than time.

--
The fact that there's a Highway to Hell but only a Stairway to Heaven
says a lot about anticipated traffic volume.

Re: Curious Cloudflare DNS behavior

[John Sage]

On 5/30/20 11:58 AM, Saku Ytti wrote:

[This post may portray opinions as facts, click to see the post]

On Sat, 30 May 2020 at 21:55, Constantine A. Murenin  wrote:


When you're not paying for service, you're not the customer, you're the product.

I don't understand why anyone, especially anyone frequenting NANOG, would use 
Cloudflare for their DNS.

[promised myself I wouldn't get pulled off into any smoldering flamewars]

[oh well. fools rush in   ]

Actually I used to run a caching-only nameserver using bind, as well as 
my own email server using sendmail, behind an ipchains/iptables firewall 
on a Linux box that was also running snort.


This would have been about (counts fingers; toes) maybe 1998-99.

So I have done this for myself, thank-you-very-much.

Times are a little more complicated now and I've come to want my own 
personal life to be a little simpler, again, thank-you-very-much.


Then (or finally) not to be pedantic, but I did open with:

>> FULL DISCLOSURE: this is an end-user issue, but one that might have
>>some operational relevance, particularly if anyone from Cloudflare DNS
>>is on the list

"End-user"

No one should say they weren't warned.

#EOF


- John
--
John Sage
FinchHaven Digital Photography
Box 2541, Vashon, WA 98070
Email: js...@finchhaven.com
Web: https://finchhaven.smugmug.com/
Old web: http://www.finchhaven.com/
Cell: 206.595.3604

Re: Curious Cloudflare DNS behavior

[Rubens Kuhl]

>
>
>
> Outsourcing stuff like DNS is just a continuation of the trend of sending
> your workloads onto someone else's cloud.  It seems easy -- right up until
> it isn't working the way you want it to.
>
>
Outsourcing DNS recursion isn't a good trade-off IMHO, but outsourcing
threat blocking via DNS is. So, my preferred recursive DNS setup is:
- Caching recursive server on ISP's premises
- Unbound or Knot Resolver based
- Root zone authoritatives to increase both privacy and performance
- Recursion done only for CDN zones (1e100.net, akadns.net etc.) in order
to get the best CDN performance for the access customers
- Forwarding of all non-CDN traffic to security-focused DNS recursives link
Umbrella, Cloudflare, Norton, Quad-9 etc.
- IGP-based anycast

This is also flexible enough to deal with DNSSEC signature expiration, AA
missing on authoritative responses etc., either by configuration on the
recursives themselves or by forwarding specific domains to specific outside
recursives.

Maintaining it requires work, it's not a plug and forget solution; but it
provides a good balance of performance, security and operational
flexibility.


Rubens

Re: Curious Cloudflare DNS behavior

[Joe Greco]

On Sat, May 30, 2020 at 01:52:58PM -0500, Constantine A. Murenin wrote:
> When you're not paying for service, you're not the customer, you're the
> product.

A pleasantly misleading statement.  Most easily observed in that there are
many cases where there is multiple monetization.  You may be your broadband
provider's customer, but it's likely they're still selling you in other
ways.  On the flip side, some of us provide free services with no ulterior
motive.  Go figure.

> I don't understand why anyone, especially anyone frequenting NANOG, would
> use Cloudflare for their DNS.

The early '90's called and said you're missing (don't worry, they said
it about me too).  :-)  ;-)

The Internet didn't evolve in the way its designers expected.  Early 
mistakes and errors required terrible remediation.  As an example, look
at the difficulty involved in running a service like e-mail or DNS.
E-mail requires all sorts of things to interoperate well, including SPF,
DKIM, SSL, DNSBL's, etc., etc., and it is a complicated service to run
self-hosted.  DNS is only somewhat better, with the complexity of DNSSEC
and other recent developments making for more difficulties in maintaining
self-hosted services.

Some people want basic services that "just work" without having to put
any effort into them.  That isn't limited to non-technical users.

Outsourcing stuff like DNS is just a continuation of the trend of sending
your workloads onto someone else's cloud.  It seems easy -- right up until
it isn't working the way you want it to.

But for most people, even those frequenting NANOG, maybe they just don't
want to go set up their own recursion nameservice.  I'm not saying I
agree with that strategy, but at least it's understandable.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"The strain of anti-intellectualism has been a constant thread winding its way
through our political and cultural life, nurtured by the false notion that
democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov

Re: Curious Cloudflare DNS behavior

[Ryan Hamel]

Hey Constantine,

John came in with a technical issue. If you have nothing worthy to say about it 
specifically, it's best to keep quiet.
Thanks!
Ryan
On May 30 2020, at 11:52 am, Constantine A. Murenin  wrote:
> When you're not paying for service, you're not the customer, you're the 
> product.
>
> I don't understand why anyone, especially anyone frequenting NANOG, would use 
> Cloudflare for their DNS.
>
> Cloudflare runs a racket business, and their whole business model depends on 
> them being a monopoly; plus people buying into the vapourware that they 
> offer. When have monopolies been good for any industry? There's plenty of 
> evidence of Cloudflare 1.1.1.1 not working correctly; I'm sure one of their 
> employees (or the CTO!) will show up shortly to say otherwise!
>
> C.
> On Fri, 29 May 2020 at 12:31, John Sage  (mailto:js...@finchhaven.com)> wrote:
> > FULL DISCLOSURE: this is an end-user issue, but one that might have some
> > operational relevance, particularly if anyone from Cloudflare DNS is on
> > the list
> >
> > EXECUTIVE SUMMARY: twice in six weeks Cloudflare DNS on my new Netgear
> > Orbi cable modem/mesh WiFi hotspot has completely lost track of one (and
> > only one that I know of) prominent US domain: usbank dot com
> >
> > Internet provider: Comcast/Xfinity "Extreme Pro+"
> > Dynamic IP address via Comcast that hasn't changed in six-seven years
> > New Netgear Orbi cable modem, configured with DNS through Cloudflare
> > (1.1.1.1 and 1.0.0.1)
> >
> > Again, twice in 6 weeks Cloudflare DNS seems to loose complete track of
> > usbank dot com as a domain
> >
> > Symptoms: Firefox on Ubuntu Linux returns that little puzzled dinosaur
> > cartoon thing and "We can't seem to find this website right now"
> >
> > BUT ALSO:
> > Each one of ping, traceroute, dig and host returns
> > Host usbank . com not found: 2(SERVFAIL)
> > or some variant thereof
> > Everything else works "just fine" as the saying goes
> > And the Cloudflare DNS drop lasted for days the first time around
> > I can switch over to Google DNS (8.8.8.8 and 8.4.4.8) in the Orbi and
> > immediately fix the problem
> >
> > So. Seems odd that Cloudflare DNS would apparently loose complete track
> > of a major US domain name like usbank dot com
> >
> > Or am I missing something?
> >
> > - John
> > --
> > John Sage
> > FinchHaven Digital Photography
> > Email: js...@finchhaven.com (mailto:js...@finchhaven.com)
> > Web: https://finchhaven.smugmug.com/
> > Old web: http://www.finchhaven.com/
>
>
>

Re: Curious Cloudflare DNS behavior

[Saku Ytti]

[This post may portray opinions as facts, click to see the post]

On Sat, 30 May 2020 at 21:55, Constantine A. Murenin  wrote:
>
> When you're not paying for service, you're not the customer, you're the 
> product.
>
> I don't understand why anyone, especially anyone frequenting NANOG, would use 
> Cloudflare for their DNS.
>
> Cloudflare runs a racket business, and their whole business model depends on 
> them being a monopoly; plus people buying into the vapourware that they 
> offer.  When have monopolies been good for any industry?  There's plenty of 
> evidence of Cloudflare 1.1.1.1 not working correctly; I'm sure one of their 
> employees (or the CTO!) will show up shortly to say otherwise!
>
> C.
>
> On Fri, 29 May 2020 at 12:31, John Sage  wrote:
>>
>> FULL DISCLOSURE: this is an end-user issue, but one that might have some
>> operational relevance, particularly if anyone from Cloudflare DNS is on
>> the list
>>
>> EXECUTIVE SUMMARY: twice in six weeks Cloudflare DNS on my new Netgear
>> Orbi cable modem/mesh WiFi hotspot has completely lost track of one (and
>> only one that I know of) prominent US domain: usbank dot com
>>
>> Internet provider: Comcast/Xfinity "Extreme Pro+"
>>
>> Dynamic IP address via Comcast that hasn't changed in six-seven years
>>
>> New Netgear Orbi cable modem, configured with DNS through Cloudflare
>> (1.1.1.1 and 1.0.0.1)
>>
>> Again, twice in 6 weeks Cloudflare DNS seems to loose complete track of
>> usbank dot com as a domain
>>
>> Symptoms: Firefox on Ubuntu Linux returns that little puzzled dinosaur
>> cartoon thing and "We can't seem to find this website right now"
>>
>> BUT ALSO:
>>
>> Each one of ping, traceroute, dig and host returns
>>
>> Host usbank . com not found: 2(SERVFAIL)
>>
>> or some variant thereof
>>
>> Everything else works "just fine" as the saying goes
>>
>> And the Cloudflare DNS drop lasted for days the first time around
>>
>> I can switch over to Google DNS (8.8.8.8 and 8.4.4.8) in the Orbi and
>> immediately fix the problem
>>
>> So. Seems odd that Cloudflare DNS would apparently loose complete track
>> of a major US domain name like usbank dot com
>>
>> Or am I missing something?
>>
>>
>> - John
>> --
>> John Sage
>> FinchHaven Digital Photography
>> Email: js...@finchhaven.com
>> Web: https://finchhaven.smugmug.com/
>> Old web: http://www.finchhaven.com/
>>
>>
>


-- 
  ++ytti

Re: Curious Cloudflare DNS behavior

[Constantine A. Murenin]

When you're not paying for service, you're not the customer, you're the
product.

I don't understand why anyone, especially anyone frequenting NANOG, would
use Cloudflare for their DNS.

Cloudflare runs a racket business, and their whole business model depends
on them being a monopoly; plus people buying into the vapourware that they
offer.  When have monopolies been good for any industry?  There's plenty of
evidence of Cloudflare 1.1.1.1 not working correctly; I'm sure one of their
employees (or the CTO!) will show up shortly to say otherwise!

C.

On Fri, 29 May 2020 at 12:31, John Sage  wrote:

> FULL DISCLOSURE: this is an end-user issue, but one that might have some
> operational relevance, particularly if anyone from Cloudflare DNS is on
> the list
>
> EXECUTIVE SUMMARY: twice in six weeks Cloudflare DNS on my new Netgear
> Orbi cable modem/mesh WiFi hotspot has completely lost track of one (and
> only one that I know of) prominent US domain: usbank dot com
>
> Internet provider: Comcast/Xfinity "Extreme Pro+"
>
> Dynamic IP address via Comcast that hasn't changed in six-seven years
>
> New Netgear Orbi cable modem, configured with DNS through Cloudflare
> (1.1.1.1 and 1.0.0.1)
>
> Again, twice in 6 weeks Cloudflare DNS seems to loose complete track of
> usbank dot com as a domain
>
> Symptoms: Firefox on Ubuntu Linux returns that little puzzled dinosaur
> cartoon thing and "We can't seem to find this website right now"
>
> BUT ALSO:
>
> Each one of ping, traceroute, dig and host returns
>
> Host usbank . com not found: 2(SERVFAIL)
>
> or some variant thereof
>
> Everything else works "just fine" as the saying goes
>
> And the Cloudflare DNS drop lasted for days the first time around
>
> I can switch over to Google DNS (8.8.8.8 and 8.4.4.8) in the Orbi and
> immediately fix the problem
>
> So. Seems odd that Cloudflare DNS would apparently loose complete track
> of a major US domain name like usbank dot com
>
> Or am I missing something?
>
>
> - John
> --
> John Sage
> FinchHaven Digital Photography
> Email: js...@finchhaven.com
> Web: https://finchhaven.smugmug.com/
> Old web: http://www.finchhaven.com/
>
>
>

Re: Curious Cloudflare DNS behavior

[Mark Milhollan]

On Fri, 29 May 2020, John Sage wrote:


Each one of ping, traceroute, dig and host returns

Host usbank . com not found: 2(SERVFAIL)


Could be a DNSSEC issue.  When it happens check  or 
 to see if that's the case.


--
Mark Milhollan
+1-805-901-4009

Re: Curious Cloudflare DNS behavior

[Havard Eidnes via NANOG]

> Again, twice in 6 weeks Cloudflare DNS seems to loose complete
> track of usbank dot com as a domain.

All the name servers for that domain are placed in that same
domain.  That in itself perhaps isn't a problem.  However, they
also all have IPv4 addresses (no IPv6 in sight) in the same /16
which is routed as a single entity in the global routing table.
Thus, if that network should fall off the net from Cloudflare's
(or any other recursive resolver operator's) perspective for some
reason or other, the names in that domain will all be
unresolveable, and a recursive resolver which is unable to reach
any of the publishing name servers will return SERVFAIL.

Regards,

- Håvard