[dns-operations] Contact at s3.com.co

[Frank Louwers]

Hi,

If anyone has a (DNS) contact at s3.com.co , could you 
either pass me the contact details, or ask them to update their glue records at 
.co please?

dig A dns1.s3.com.co  @ns1.cctld.co

...

;; AUTHORITY SECTION:
s3.com.co .  7200IN  NS  dns1.s3.com.co 
.
s3.com.co .  7200IN  NS  dns.s3.com.co 
.

;; ADDITIONAL SECTION:
dns1.s3.com.co .7200IN  A   
190.184.203.34
dns.s3.com.co .  7200IN  A   
190.254.5.243


The 190.184.203.34 ip address doesn't respond and doesn't seem valid.

When I query the dns.s3.com.co  server for an A record 
of dns1.s3.com.co , I get a different ip address: 
190.184.202.198.

Thanks!

Kind Regards,

Frank Louwers___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] cheap traffic measure for a small set of zones

[Frank Louwers]

As an alternative, you might look at dnsdist: a simple (but powerful) open 
source dns proxy which could pass all queries to your bind setup, but provide 
you with the metrics you need.

https://dnsdist.org

Frank



> On 26 Mar 2021, at 07:44, Antonio Prado via dns-operations 
>  wrote:
> 
> 
> From: Antonio Prado 
> Subject: Re: [dns-operations] cheap traffic measure for a small set of zones
> Date: 26 March 2021 at 07:44:39 CET
> To: Randy Bush 
> Cc: DNS Operations 
> 
> 
> On 3/26/21 5:20 AM, Randy Bush wrote:
>>> is there a simple tool to run on a server to measure query and data
>>> rates for a small set of zones?
>>> 
>>> 
>> bingo!  thanks.
> 
> hi,
> 
> dnstop does not support TCP at this time
> 
> --
> antonio
> 
> 
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] Looking for contact at integraonline.com / allstream.net

[Frank Louwers]

Hi,

I am looking for a DNS contact at integraonline.com / allstream.net. I tried 
hostmas...@integraonline.com, but haven't received any replies yet.

Problem is as follows:

It replies with the correct aa=1 bit when dnssec is enabled.

❯ dig ns2.business.allstream.net @ns.integraonline.com. +norec | grep flags
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
; EDNS: version: 0, flags:; udp: 4096

vs

❯ dig ns2.business.allstream.net @ns.integraonline.com. +norec +dnssec | grep 
flags
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
; EDNS: version: 0, flags:; udp: 4096

If anyone can forward this message or get me in touch with them, please do so. 
I am aware of at least one dns resolver (PowerDNS) which refuses to accept 
these RFC violating answers. A customer of mine operates a resolving DNS 
network with a large customer base in Canada, so they are impacted by this.

Kind Regards,

Frank
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Test Zone Metalist

[Frank Louwers]

Hi Matthew,


The "zonetransfer.me" zone contains a decent set of test records:

https://digi.ninja/projects/zonetransferme.php - dig axfr @nsztm1.digi.ninja 
zonetransfer.me

Frank Louwers
DNS Consultant @ Kiwazo.be


> On 4 Jun 2020, at 15:51, Matthew Pounsett  wrote:
> 
> On the suggestion of some community members, I’m considering setting up a 
> list of known DNS test zones to be posted on OARC’s web site.  The list will 
> include zones designed to provide data to use as input to DNS software.
> 
> Off the top of my head, and with five minutes of googling, I know of only two:
> 
> test.dnssec-tools.org <https://dnssec-tools.org/testzone/>
> workbench.sidnlabs.nl <https://workbench.sidnlabs.nl/>
> 
> This seems to be one of those subjects that is hard to search; I’m mostly 
> getting test *software* in my search results.
> 
> What other zones should be on such a list?
> 
> Matt Pounsett
> DNS-OARC Systems Engineering
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] solutions for DDoS mitigation of DNS

[Frank Louwers]

That's very selective cutting of my sentence Klaus

> On 2 Apr 2020, at 13:09, Klaus Darilion  <mailto:klaus.mailingli...@pernau.at>> wrote:
> 
> Am 02.04.2020 um 09:15 schrieb Frank Louwers:
>> dnsdist allows you to do general ratelimiting/blocking
> 
> Ratelimiting is often not the correct choice.
> 
> If the source IP is random (which is usually the case with spoofed source IP 
> addresses), a rate limiting based on source IP is not useful.
> 
> If the query-name is random (which is usually the case with spoofed source IP 
> addresses), a rate limiting based on qname is not useful.
> 
> If the qname is always the same, or at least within the same zone, you could 
> do rate limiting for that zone, but this limits all queries, attack queries 
> and legitim queries. Hence, you create a DoS for that zone, but at least 
> avoid collateral damage to other zones hosted on that name server.
> 
> So my advice: use a name server which can fill your upstream bandwith (NSD, 
> Knot ...). And for volumetric attacks use a commercial DDoS mitigation 
> provider which filters your traffic (ie. buy the service from your ISP or 
> from a remote DDoS mitigation provider which announces your prefixes on 
> demand.)
> 
> regards
> Klaus
> 
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net <mailto:dns-operations@lists.dns-oarc.net>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] solutions for DDoS mitigation of DNS

[Frank Louwers]

> 
>> May I ask if there are any solutions for DDoS mitigation of DNS?
> 
> All solutions that were mentioned here are correct but incomplete:
> there is no general solution against dDoS, because "it depends". There
> are many types of dDoS. You will need several tools in your toolbox,
> and someone knowledgeable to choose among them.

I completely agree. However, some tools have a large toolbox built-in and 
reduce the need for other tools. Eg: dnsdist allows you to do general 
ratelimiting/blocking, but allows you to build your own rules as well.

Note that I can buy a great, expensive and high-quality garage toolbox, but 
that that doesn't mean I can repair my own car. The toolbox is what the 
knowledgeable expert needs to fix the problem...

Kind Regards and best of luck fending of the bad people...

Frank Louwers
DNS Consultant @ Kiwazo.be <http://kiwazo.be/>___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] glitch on [ip6|in-addr].arpa?

[Frank Louwers]

Hi Warren,

> The lack of peering with a network doesn't prevent my accessing them,
> it just means that my packets take a sub-optimal[0] route.
> The above doesn't look like that at all, it looks like $something else
> (like dropped fragments), which is completely different to not
> peering[1].
> 
> 
> I feel like I haven't had my morning coffee, and am missing something
> wildly obvious here -- please, what it is?
> W
> [0]: Well, sub-optimal in terms of number of AS's, not necessarily in
> terms of congestion, latency, reliability, geography, etc.

You don't peer with HE, but you buy transit from a company that does peer with 
HE.

Neither Cogent or HE buy transit from anybody else. They only peer and have 
customers. They don't buy "fallback" traffic.

Now if Cogent refuses to peer with HE (or the other way around), and they both 
don't buy traffic from anybody else, they can't reach each other...

Frank

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations