Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

2018-04-02 Thread Tore Anderson
* Marty Strong via NANOG > Routing from ~150 locations, plenty of redundancy. Any plans to support NSID and/or "hostname.bind" to allow clients to identify which node is serving their requests? For example: $ dig @nsb.dnsnode.net. hostname.bind. CH TXT +nsid [...] ;; OPT

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

2018-04-02 Thread Hank Nussbacher
On 03/04/2018 01:39, Matt Hoppes wrote: You might be interested in these links which compare the services: https://medium.com/@nykolas.z/dns-resolvers-performance-compared-cloudflare-x-google-x-quad9-x-opendns-149e803734e5 https://webxtrakt.com/public-dns-performance -Hank > So in all this

Re: From Nov 2017...

2018-04-02 Thread Bill Woodcock
> On Apr 2, 2018, at 7:24 PM, Robert Mathews (OSIA) wrote: > *Group Co-founded by City of London Police promises 'no snooping on your > requests’* Note that this is _extremely_ misleading, since the group being referred to here is _not_ Quad9, but instead GCA, one of the

Re: From Nov 2017...

2018-04-02 Thread Seth Mattinen
On 4/2/18 7:43 PM, J Crowe wrote: That database could possibly be ingested and used locally. Traffic may not even be traversing to the database hosted by IBM. At least they are open about where they are getting the data that allows for blocking to certain FQDNs. Even if it does traverse

Re: From Nov 2017...

2018-04-02 Thread Seth Mattinen
On 4/2/18 7:24 PM, Robert Mathews (OSIA) wrote: To be clear. *DNS resolver 9.9.9.9 will check requests against IBM threat database* To be clear on what? That an IBM database is queried, just like it says on their website? That doesn't mean they are recording who is making what

From Nov 2017...

2018-04-02 Thread Robert Mathews (OSIA)
To be clear. *DNS resolver 9.9.9.9 will check requests against IBM threat database* *Group Co-founded by City of London Police promises 'no snooping on your requests'* By Richard Chirgwin 20 Nov 2017 at 06:58 The Register (UK)

Re: NG Firewalls & IPv6

2018-04-02 Thread David Hubbard
I’ve been doing dual stack through Fortinet products for many years without issue. Well, no issue from a technical perspective. Sometimes you have to dig for a bit to find the equivalent v6 CLI commands, and occasionally there’s GUI stuff missing that requires CLI where the v4 equivalent

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Seth Mattinen
On 4/2/18 5:10 PM, Mark Andrews wrote: On 3 Apr 2018, at 1:39 am, Seth Mattinen wrote: On 4/2/18 8:35 AM, Simon Lockhart wrote: This looks like a willy-waving exercise by Cloudflare coming up with the lowest quad-digit IP. They must have known that this would cause routing

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Mark Andrews
> On 3 Apr 2018, at 1:39 am, Seth Mattinen wrote: > > On 4/2/18 8:35 AM, Simon Lockhart wrote: >> This looks like a willy-waving exercise by Cloudflare coming up with the >> lowest >> quad-digit IP. They must have known that this would cause routing issues, and >> now

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Rubens Kuhl
On Mon, Apr 2, 2018 at 4:32 PM, Marty Strong wrote: > Do you have one? > Yes, supplied by local broadband provider Vivo. FTTH GPON connection, router with broadband and IPTV services. > Do you know what is causing it to fail? i.e. IP on internal interface etc. >

NG Firewalls & IPv6

2018-04-02 Thread Joe Klein
All, At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year,

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

2018-04-02 Thread Matt Hoppes
So in all this discussion, what I'm finding interesting is that 8.8.8.8 is actually more hops away from me than either 9.9.9.9 or 1.1.1.1 On 4/2/18 6:06 PM, Seth Mattinen wrote: On 4/2/18 14:58, Marty Strong via NANOG wrote: Routing from ~150 locations, plenty of redundancy.

Re: whoami.akamai.net and public DNS node replies

2018-04-02 Thread Jared Mauch
> On Apr 2, 2018, at 4:36 PM, Anurag Bhatia wrote: > > Hello everyone, > > Anyone using whoami.akamai.net? Thanks, our team is investigating this at present. I don’t have an ETR at the moment. - Jared

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

2018-04-02 Thread Seth Mattinen
On 4/2/18 14:58, Marty Strong via NANOG wrote: Routing from ~150 locations, plenty of redundancy. https://www.cloudflare.com/network/ I recommend 9.9.9.9 to people (if they must use a public resolver) because Quad9/PCH serves local markets of all sizes with anycast nodes and peering, not

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

2018-04-02 Thread Marty Strong via NANOG
Routing from ~150 locations, plenty of redundancy. https://www.cloudflare.com/network/ Regards, Marty Strong -- Cloudflare - AS13335 Network Engineer ma...@cloudflare.com +44 7584 906 055 smartflare (Skype) https://www.peeringdb.com/asn/13335 > On 2 Apr

Re: UBNT Security was Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Brielle Bruns
On 4/2/2018 3:23 PM, Mike Hammett wrote: I believe at one point UBNT did block outside management access, but then their customers voiced to bring it back. That said, I think they're taking security more seriously going forward. I'm not entirely sure what Ubnt has changed lately, because

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Florian Weimer
* Hank Nussbacher: > Perhaps they are running all  this to shake out exactly these type of > issues?  I think that is exactly why APNIC research is called for. And return another 2**24 addresses to the global IPv4 pool eventually? That would indeed be a loadable goal.

UBNT Security was Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Mike Hammett
I believe at one point UBNT did block outside management access, but then their customers voiced to bring it back. That said, I think they're taking security more seriously going forward. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Brielle Bruns
On 4/2/2018 9:35 AM, Simon Lockhart wrote: Quite. This looks like a willy-waving exercise by Cloudflare coming up with the lowest quad-digit IP. They must have known that this would cause routing issues, and now suddenly it's our responsibility to make significant changes to live

whoami.akamai.net and public DNS node replies

2018-04-02 Thread Anurag Bhatia
Hello everyone, Anyone using whoami.akamai.net? I have used it quite a while especially with large anycast players because they tend to have customer facing (anycast) IPs and internet facing unicast IPs to reach to outside world. Thus for say 8.8.8.8 while query may be local to my country

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

2018-04-02 Thread Job Snijders
On Mon, Apr 2, 2018 at 8:14 PM, Saku Ytti wrote: > If they are for redundancy, wouldn't it be preferable to route them to > different place to cover more fault scenarios. > > I would complain if they are routed to same place. Better start complaining then :-) Kind regards, Job

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

2018-04-02 Thread Saku Ytti
If they are for redundancy, wouldn't it be preferable to route them to different place to cover more fault scenarios. I would complain if they are routed to same place. On 2 April 2018 at 22:56, Colin Johnston wrote: > dont know if this is a problem but seeing different

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

2018-04-02 Thread Colin Johnston
dont know if this is a problem but seeing different as paths for 1.0.0.1 and 1.1.1.1 in UK as lands 2 185.61.135.25 (185.61.135.25) 1.964 ms 72.824 ms 72.835 ms 3 10.254.84.3 (10.254.84.3) 2.671 ms 2.577 ms 2.601 ms 4 31.28.72.22 (31.28.72.22) 2.798 ms 2.897 ms 3.123 ms 5 * * *

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Marty Strong via NANOG
Do you have one? Do you know what is causing it to fail? i.e. IP on internal interface etc. Regards, Marty Strong -- Cloudflare - AS13335 Network Engineer ma...@cloudflare.com +44 7584 906 055 smartflare (Skype) https://www.peeringdb.com/asn/13335 > On 2 Apr

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread mike . lyon
Because it would be wasteful not to use it??? > On Apr 2, 2018, at 11:48, Brett Watson wrote: > > > >> On Apr 2, 2018, at 10:18, John Levine wrote: >> >> In article <7db5fac7-972a-4eb6-89d9-b305a7233...@cloudflare.com> you write: >>> If you know of

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Brett Watson
> On Apr 2, 2018, at 10:18, John Levine wrote: > > In article <7db5fac7-972a-4eb6-89d9-b305a7233...@cloudflare.com> you write: >> If you know of others please send them my way so we can investigate. > > A lot of hotel and coffee shop captive portals use it for the login > and

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Rubens Kuhl
D-Link DMG-6661 as well. Rubens On Mon, Apr 2, 2018 at 12:26 PM, Marty Strong via NANOG wrote: > So far we know about a few CPEs which answer for 1.1.1.1 themselves: > > - Pace 5268 > - Calix GigaCenter > - Various Cisco Wifi access points > > If you know of others please

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Seth Mattinen
On 4/2/18 10:49, David Conrad wrote: Wait. What? Why do you think 1/8 shouldn’t be used for anything? I didn't say that. In case this is a non-native English issue, "nobody should have been using" is past tense, which is to say everyone squatting on 1/8 space for their own purposes

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread David Conrad
Wait. What? Why do you think 1/8 shouldn’t be used for anything? Regards, -drc -- > On Monday, Apr 02, 2018 at 11:40 AM, Seth Mattinen (mailto:se...@rollernet.us)> wrote: > On 4/2/18 8:35 AM, Simon Lockhart wrote: > > > > This looks like a willy-waving exercise by

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread John Levine
In article <7db5fac7-972a-4eb6-89d9-b305a7233...@cloudflare.com> you write: >If you know of others please send them my way so we can investigate. A lot of hotel and coffee shop captive portals use it for the login and logout screens. Don't know what the underlying software is, but wander around

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Alan Buxey
thats probably a key part of the experiment - to find locations and systems where 1.1.1.1 is trashed. it should be routable and its about time that vendors stopped messing around in that space - hopefully this is one of the sticks that prods people to start to behave - at which point 1.0.0.0/8

Re: IPv6 addressing plan spreadsheet issue

2018-04-02 Thread Filip Hruska
Hi, I actually got that value from curl (on Mac) so who knows. It's certainly possible that it's generated on-the-fly and curl just shows garbage info. Regards, -- Filip Hruska Linux System Administrator Dne 4/2/18 v 18:59 Tarko Tikan napsal(a): hey, How did you actually create the .txt

Re: IPv6 addressing plan spreadsheet issue

2018-04-02 Thread Tarko Tikan
hey, How did you actually create the .txt file? Is the filesize spoofed in some way? 8191PB is a lot of storage. Probably just handcrafted index.html with fake file size and CGI script that outputs the actual prefixes on-demand? -- tarko

Re: IPv6 addressing plan spreadsheet issue

2018-04-02 Thread Nick Hilliard
Filip Hruska wrote: > How did you actually create the .txt file? Is the filesize spoofed in > some way? > 8191PB is a lot of storage. Probably a giant RAID in the attic. Disk space is very cheap these days. Anyway, txt files are old hat for ip address management. Job should be using Excel like

Re: IPv6 addressing plan spreadsheet issue

2018-04-02 Thread Filip Hruska
Well played. How did you actually create the .txt file? Is the filesize spoofed in some way? 8191PB is a lot of storage. -- Filip Hruska Linux System Administrator Dne 4/1/18 v 13:09 Job Snijders napsal(a): Hi all, I made a list of the IPv6 addresses in my home LAN, but have trouble

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Hank Nussbacher
On 02/04/2018 18:35, Simon Lockhart wrote: > On Mon Apr 02, 2018 at 11:17:47AM -0400, John Levine wrote: >> So it's routed deliberately but it sure looks like an experiment. >> There's way too much equipment that treats 1.1.1.1 as magic for it to >> work reliably. Captive portals tend to use that

Re: IPv6 addressing plan spreadsheet issue

2018-04-02 Thread Justin Wilson
We use PHPIPAM for our clients If given the choice Netflix traffic prefers IPV6. That is the “killer app” for me. Justin Wilson j...@mtin.net www.mtin.net www.midwest-ix.com > On Apr 1, 2018, at 2:35 PM, Pete Baldwin wrote: > > Each file can only contain a single IP

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread James R Cutler
> On Apr 2, 2018, at 11:35 AM, Simon Lockhart wrote: > > … > This looks like a willy-waving exercise by Cloudflare coming up with the > lowest > quad-digit IP. They must have known that this would cause routing issues, and > now suddenly it's our responsibility to make

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread John R. Levine
This looks like a willy-waving exercise by Cloudflare coming up with the lowest quad-digit IP. They must have known that this would cause routing issues, and now suddenly it's our responsibility to make significant changes to live infrastructures just so they can continue to look clever with the

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread nop
On Mon, Apr 2, 2018, at 8:35 AM, Simon Lockhart wrote: > quad-digit IP. They must have known that this would cause routing issues, and > now suddenly it's our responsibility to make significant changes to live > infrastructures just so they can continue to look clever with the IP address. In this

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Seth Mattinen
On 4/2/18 8:35 AM, Simon Lockhart wrote: This looks like a willy-waving exercise by Cloudflare coming up with the lowest quad-digit IP. They must have known that this would cause routing issues, and now suddenly it's our responsibility to make significant changes to live infrastructures just so

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Simon Lockhart
On Mon Apr 02, 2018 at 11:17:47AM -0400, John Levine wrote: > So it's routed deliberately but it sure looks like an experiment. > There's way too much equipment that treats 1.1.1.1 as magic for it to > work reliably. Captive portals tend to use that address for the host > you contact to log out.

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Matt Hoppes
“Routed briefly for passive testing” sounds to me like “black hole it because legitimate traffic shouldn’t be coming to your network from it” > On Apr 2, 2018, at 11:23, Jason Kuehl wrote: > > Not saying you're wrong. But people did it for whatever reason. > >> On

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Marty Strong via NANOG
So far we know about a few CPEs which answer for 1.1.1.1 themselves: - Pace 5268 - Calix GigaCenter - Various Cisco Wifi access points If you know of others please send them my way so we can investigate. Regards, Marty Strong -- Cloudflare - AS13335 Network

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Jason Kuehl
Not saying you're wrong. But people did it for whatever reason. On Mon, Apr 2, 2018 at 11:12 AM, Justin Wilson wrote: > 1.0.0.0/8 was assigned to APNIC in 2010. Those who used it as a > placeholder were doing it wrong. It is valid IP space. It just was not > assigned until

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread John Levine
In article <20180402150821.ga24...@cmadams.net> you write: >Once upon a time, Matt Hoppes said: >> Seeing as how 1.1.1.1 isn’t suppose to be routed > >[citation needed] Look at the WHOIS info -- 1.1.1.0/24 is assigned to APNIC Research, and it says remarks:

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Jason Kuehl
Just like "S3 dependency check day" Thus begins "National 1.1.1.1 change week" I've already around a few peaces of equipment sets with 1.1.1.1 On Mon, Apr 2, 2018 at 11:05 AM, Matt Hoppes < mattli...@rivervalleyinternet.net> wrote: > Seeing as how 1.1.1.1 isn’t suppose to be routed I’m not

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Justin Wilson
1.0.0.0/8 was assigned to APNIC in 2010. Those who used it as a placeholder were doing it wrong. It is valid IP space. It just was not assigned until 2010. Justin Wilson j...@mtin.net www.mtin.net www.midwest-ix.com > On Apr 2, 2018, at 11:05 AM, Matt Hoppes

RE: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Chris Gross
That sounds like a provider problem with their configuration most likely. I run hundreds of 844E, 844Gs and have one at my house even, and it continues out fine for 1.1.1.1 when I was testing over the weekend with our config. Chris Gross IP Services Supervisor -Original Message- From:

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Chris Adams
Once upon a time, Matt Hoppes said: > Seeing as how 1.1.1.1 isn’t suppose to be routed [citation needed] -- Chris Adams

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Matt Hoppes
Seeing as how 1.1.1.1 isn’t suppose to be routed I’m not surprised this is causing odd issues. > On Apr 2, 2018, at 11:03, Darin Steffl wrote: > > I am behind a Calix router at home for my ISP and 1.1.1.1 goes to my router > and not any further. When I enter the IP

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Darin Steffl
I am behind a Calix router at home for my ISP and 1.1.1.1 goes to my router and not any further. When I enter the IP into my browser, it opens the login page for my router. So it appears 1.1.1.1 is used as a loopback in my Calix router. 1.0.0.1 goes to the proper place fine. On Sun, Apr 1, 2018

Re: Yet another Quadruple DNS?

2018-04-02 Thread Paul Ebersman
ebersman> And yes, running your own resolver is more private. So is ebersman> running your own home linux server instead of antique consumer ebersman> OSs on consumer grade gear and using VPNs. But how many folks ebersman> can do that? ssatchell> ssatchell> I gave up on Microsoft desktop

Re: Yet another Quadruple DNS?

2018-04-02 Thread Colin Johnston
> On 2 Apr 2018, at 10:32, William Waites wrote: > > > >> On 2 Apr 2018, at 02:57, Aftab Siddiqui wrote: >> >> Here is the update from Geoff himself. I guess they didn't want to publish >> it on April 1st (AEST). >>

Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Jeremy L. Gaddis
Greetings, If anyone at 7018 wants to pass a message along to the correct folks, please let them know that Cloudflare's new public DNS service (1.1.1.1) is completely unusable for at least some of AT's customers. There is apparently a bug with some CPE (including the 5268AC). From behind such

Comcast engineer assistance

2018-04-02 Thread Derrick Malilay
Can a Comcast engineer please contact me off-list. der...@gmail.com We are seeing some unusual behavior with one prefix that looks like it's stopping in the Comcast network. Thanks! Derrick

Re: new diffserv code point LE PHB

2018-04-02 Thread Rafał Fitt
Dear Job, > In cases where you have both 'normal' and 'bulk' content on the same webserver, are there any webservers that allow you to set a DSCP value per path or filename? please check http://techgenix.com/qos-windows-server-2012-part3/ You can assign DSCP per (outgoing) URL on Windows

ARIN 41 - potential changes to Number Resource Policy (Fwd: [arin-announce] Participate in the Public Policy Process at ARIN 41)

2018-04-02 Thread John Curran
NANOGers - ARIN operates the number registry according to community-developed policies, but ultimately such policies are shaped by the folks in this community who choose to participate in their development. There are several significant policy proposals that will be considered at

Re: Yet another Quadruple DNS?

2018-04-02 Thread William Waites
> On 2 Apr 2018, at 02:57, Aftab Siddiqui wrote: > > Here is the update from Geoff himself. I guess they didn't want to publish > it on April 1st (AEST). > https://blog.apnic.net/2018/04/02/apnic-labs-enters-into-a-research-agreement-with-cloudflare/ The research

Re: Yet another Quadruple DNS?

2018-04-02 Thread Brian Kantor
On Mon, Apr 02, 2018 at 09:07:07AM +, Baldur Norddahl wrote: > The problem I see here is the five year research term after which they may > or may not revoke the use of the prefix. > > This is harmful. Such services should be stable. If you are going to let > cloudflare run this service, it

Re: Yet another Quadruple DNS?

2018-04-02 Thread Baldur Norddahl
The problem I see here is the five year research term after which they may or may not revoke the use of the prefix. This is harmful. Such services should be stable. If you are going to let cloudflare run this service, it should be permanent. Regards Baldur Den man. 2. apr. 2018 03.57 skrev