Re: Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral

Am 06.05.22 um 12:24 schrieb Ted Mittelstaedt: On 5/6/2022 12:45 AM, Reindl Harald wrote: in the past our CISCO ISP router with "DNS ALG" even rewrote zone transfers and invented a zero TTL for each and every CNAME it saw Probably doing that to retaliate for dynamic DNS providers

Re: Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral

> On 6. 5. 2022, at 12:24, Ted Mittelstaedt wrote: > > You got caught in the crossfire of that particular war. Nah, it was just crappy implementation and somebody at Cisco not understanding the RFC. I remember that - at my previous job we had a ticket opened with them about this particular

Re: Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral

On 5/6/2022 12:45 AM, Reindl Harald wrote: in the past our CISCO ISP router with "DNS ALG" even rewrote zone transfers and invented a zero TTL for each and every CNAME it saw Probably doing that to retaliate for dynamic DNS providers abusing DNS and people abusing dynamic DNS

Re: Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral

On 5/5/2022 11:19 PM, Bjørn Mork wrote: Mark Andrews writes: How about configuring forwarder(s) if you have to operate a resolver in such an environment? Hoping that the answer from the intercepting server isn't too different from what you'd expect from a forwarder. In my environment,

Re: Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral

Am 06.05.22 um 08:19 schrieb Bjørn Mork: Mark Andrews writes: It’s a long known issue with so called “Transparent” DNS proxies/accelerators/firewalls. Iterative resolvers expect to talk to authoritative servers. They ask questions differently to the way they do when they talk to a

Re: Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral

> On 6. 5. 2022, at 8:19, Bjørn Mork wrote: > > How about configuring forwarder(s) if you have to operate a resolver in > such an environment? Hoping that the answer from the intercepting > server isn't too different from what you'd expect from a forwarder. I would personally go with VPN as a

Re: Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral

Mark Andrews writes: > It’s a long known issue with so called “Transparent” DNS > proxies/accelerators/firewalls. Iterative resolvers expect to talk to > authoritative servers. They ask questions differently to the way they > do when they talk to a recursive server. Answers from different >

Re: Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral

It’s a long known issue with so called “Transparent” DNS proxies/accelerators/firewalls. Iterative resolvers expect to talk to authoritative servers. They ask questions differently to the way they do when they talk to a recursive server. Answers from different levels of the DNS hierarchy

Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral

Thought I would document this in case anyone else gets bit by it I have several nameservers and other servers on a Comcast copper connection (cable internet) in the office using a Technicolor Business Router CGA4131COM modem. This is Comcast's de-facto standard modem as of 2022 for