DNS problems resolving dyn.plus.net due to incorrect server config

nickleverton2 · ‎03-03-2014

There seems to be a problem with the Plusnet DNS zone configuration for dyn.plus.net. This is the zone which serves up the address queries for Plusnet's own dynamic DNS broadband connections. All queries on this zone fail, because the zone is incorrectly configured (a "lame delegation") on Plusnet's authoritative DNS servers.

This is a problem because it means that reverse address lookups by remote servers fail. These lookups are often performed for security reasons, as here. Log is from a remote server I run which, amongst other measures, uses rDNS to exempt UK connections from rate limiting and port blocking:

Mar 21 08:44:19 warren sshd[32464]: warning: /etc/hosts.allow, line 14: can't verify hostname: getaddrinfo(97.178.31.213.dyn.plus.net, AF_INET) failed
Mar 21 08:44:20 warren sshd[32464]: reverse mapping checking getaddrinfo for 97.178.31.213.dyn.plus.net [213.31.178.97] failed - POSSIBLE BREAK-IN ATTEMPT!

This problem arises because any queries on Plusnet's dyn.plus.net zone fail, example here performed via Google DNS server:

$ dig @8.8.8.8 97.178.31.213.dyn.plus.net

; <<>> DiG 9.9.5-9+deb8u14-Debian <<>> @8.8.8.8 97.178.31.213.dyn.plus.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47154
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

(note "ANSWER: 0" - the query cannot be resolved).

According to squish.net, the reason for this is that the zone is delegated to nameservers which don't answer but just refer the query onto each other, one of several causes of "lame referral"

Traversing for 97.178.31.213.dyn.plus.net type A starting at the root(s)

Results

37.5% Lame referral received from ns1.force9.net (195.166.128.16) to ns1.force9.net (195.166.128.16)

37.5% Lame referral received from ns1.force9.net (195.166.128.16) to ns2.force9.net (195.166.128.17)

25.0% Lame referral received from ns2.force9.net (195.166.128.17) to ns2.force9.net (195.166.128.17)

On checking with your own nameservers this is indeed the case:

dig @ns1.force9.net 97.178.31.213.dyn.plus.net

; <<>> DiG 9.9.5-9+deb8u14-Debian <<>> @ns1.force9.net 97.178.31.213.dyn.plus.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18909
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;97.178.31.213.dyn.plus.net. IN A

;; AUTHORITY SECTION:
31.213.dyn.plus.net. 43200 IN NS ns2.force9.net.
31.213.dyn.plus.net. 43200 IN NS ns1.force9.net.

;; ADDITIONAL SECTION:
ns1.force9.net. 86400 IN A 195.166.128.16
ns2.force9.net. 86400 IN A 195.166.128.17

Please could you pass this on to the relevant ops people and get them to fix their zone configuration, please ?

Moderator's note by Mike (Mav): Post released from Spam Filter.

Mav · ‎06-04-2007

Moderator's Note(s)

Thread moved from Fibre Broadband to Everything Else.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

MasterOfReality · ‎26-03-2018

Hi @nickleverton2

I can see that you have raised this via a ticket on your account as well - I can confirm that our Network Amdin team have moved your ticket into their own work pool, so I should expect you'll get a reply from one of them via that support platform shortly.

Kind Regards,

MoR

DNS problems resolving dyn.plus.net due to incorrect server config

DNS problems resolving dyn.plus.net due to incorrect server config

Re: DNS problems resolving dyn.plus.net due to incorrect server config

Re: DNS problems resolving dyn.plus.net due to incorrect server config