cancel
Showing results for 
Search instead for 
Did you mean: 

Plusnet DNS server not respecting source TTL

corringham
Seasoned Champion
Posts: 1,211
Thanks: 634
Fixes: 16
Registered: ‎25-09-2015

Re: Plusnet DNS server not respecting source TTL

There seems to be confusion about the problem here. The original post shows that the DNS server being queried is 213.120.234.42 and that is the Plusnet Safeguard DNS.

That is returning a short TTL. The TTL gives the time that the client can use that address before having to look it up again. A short TTL will increase the number of DNS lookups. I believe that is the problem being reported.

I expect that the reason is to ensure that DNS lookups are made frequently, so that any sites that become "banned" are in fact banned within a short time period, rather than having to wait for a very long TTL to expire. That makes the Safeguard more effective. So I believe that it isn't a bug, but a feature.

Simply not using the Safeguard DNS will avoid the issue (other "safe" DNS services are available, but they may take a similar approach).

bobpullen
Community Gaffer
Community Gaffer
Posts: 16,869
Thanks: 4,950
Fixes: 315
Registered: ‎04-04-2007

Re: Plusnet DNS server not respecting source TTL

@corringham is right.

@pv, it's an interesting observation.

For clarity, the Plusnet default DNS resolvers are 212.159.6.9, 212.159.6.10, 212.159.13.49 & 212.159.13.50 (anycast addresses so doesn't really matter which you use). These resolvers do not exhibit the behaviour being reported.

213.120.234.38 and 213.120.234.42 are the Safeguard DNS resolvers, however the service does not need to be switched on/active in order for you to be assigned these resolvers. In fact, if you have ever switched Safeguard on, even if it was momentarily, you will always be automatically assigned these DNS addresses.

I'm unable to explain the TTL behaviour of the Safeguard resolvers with any authority, but I've a suspicion there's going to be a good reason for it. Perhaps it's there to minimise the potential for delay/confusion where Safeguard is blocking something, the blocked DNS response gets cached, and the user then elects to whitelist, or disable the service to get around the blocking. Honouring a domain's TTL could theoretically result in a situation where a user is unable to get around a block without waiting an inordinate amount of time, or knowing that they need to flush their local DNS caches.

Certainly nothing worth raising a complaint about Wink

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Baldrick1
Moderator
Moderator
Posts: 11,618
Thanks: 5,166
Fixes: 415
Registered: ‎30-06-2016

Re: Plusnet DNS server not respecting source TTL

I'm trying to imagine the impact on overall speed of having to access the DNS server every 15 minutes compared with 1 hour, Presumably you need to be interacting with the same web address for all this time? 

I imagine that in the real world the difference is lost in the noise.

Moderator and Customer
If this helped - select the Thumb
If it fixed it,  help others - select 'This Fixed My Problem'

bobpullen
Community Gaffer
Community Gaffer
Posts: 16,869
Thanks: 4,950
Fixes: 315
Registered: ‎04-04-2007

Re: Plusnet DNS server not respecting source TTL


@Baldrick1 wrote:

I'm trying to imagine the impact on overall speed of having to access the DNS server every 15 minutes compared with 1 hour...


About 8ms for me.

~ $ dig bbc.co.uk @213.120.234.38
; <<>> DiG 9.9.5-9+deb8u18-Raspbian <<>> bbc.co.uk @213.120.234.38
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61014
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbc.co.uk.                     IN      A

;; ANSWER SECTION:
bbc.co.uk.              220     IN      A       151.101.128.81
bbc.co.uk.              220     IN      A       151.101.64.81
bbc.co.uk.              220     IN      A       151.101.192.81
bbc.co.uk.              220     IN      A       151.101.0.81

;; Query time: 8 msec <----- ****
;; SERVER: 213.120.234.38#53(213.120.234.38)
;; WHEN: Fri Aug 09 17:06:55 BST 2019
;; MSG SIZE  rcvd: 102

In other words: you're not going to notice it.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

pv
Grafter
Posts: 84
Thanks: 8
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL


@bobpullen wrote:

In fact, if you have ever switched Safeguard on, even if it was momentarily, you will always be automatically assigned these DNS addresses.


 

Thanks for your reply Bob.

 

That's annoying then, since I have indeed activated Safeguard in the past. Is there really no way for me to be returned to the default DNS servers?

Gandalf
Community Gaffer
Community Gaffer
Posts: 26,563
Thanks: 10,265
Fixes: 1,599
Registered: ‎21-04-2017

Re: Plusnet DNS server not respecting source TTL

If there’s no way for you to manually change the DNS in a Hub One and as far as I’m aware there isn’t, as a workaround you should be able to override this at a device level i.e. setting the DNS in the network settings on your computer, laptop, tablet, phone etc.
From 31st October 2022, I no longer have a regular presence here as I’ve moved on to a new role.
Anoush Mortazavi
Plusnet
pv
Grafter
Posts: 84
Thanks: 8
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

Or you could tell your systems to give me the DNS servers I was assigned before I turned on SafeGuard?

Gandalf
Community Gaffer
Community Gaffer
Posts: 26,563
Thanks: 10,265
Fixes: 1,599
Registered: ‎21-04-2017

Re: Plusnet DNS server not respecting source TTL

I may be wrong and I’m sure Bob will correct me if I am, but we can’t manually assign your router a different set of DNS servers as there’s no functionality for us to do this.
From 31st October 2022, I no longer have a regular presence here as I’ve moved on to a new role.
Anoush Mortazavi
Plusnet
pv
Grafter
Posts: 84
Thanks: 8
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

Then my question is, why was the SafeGuard system designed in such a way so as to make an irreversible switch to DNS servers which spoof the TTL values?

Baldrick1
Moderator
Moderator
Posts: 11,618
Thanks: 5,166
Fixes: 415
Registered: ‎30-06-2016

Re: Plusnet DNS server not respecting source TTL

@pv 

If you go onto Ebay you can pick up a business version of the BT Smarhub 6. These can be set up to work on your Plusnet account and on the business version you can set your own choice of DNS servers.

I picked one up for less that £20.

https://community.plus.net/t5/My-Router/Using-the-BT-Smarthub-6-on-a-Plusnet-Account/m-p/1587673#M85...

Moderator and Customer
If this helped - select the Thumb
If it fixed it,  help others - select 'This Fixed My Problem'

bobpullen
Community Gaffer
Community Gaffer
Posts: 16,869
Thanks: 4,950
Fixes: 315
Registered: ‎04-04-2007

Re: Plusnet DNS server not respecting source TTL

Is there really no way for me to be returned to the default DNS servers?


Not easily, and we've no recognised process for doing it. One option would be to use a router that lets you override the RADIUS-assigned resolvers but neither of our default offerings permit this. I don't think the device's data model allows me to do it remotely either.

You could of course source your own router that does allow it.

Another option is to assign DNS at the device level but that's rarely practical in a world with so many smartphones/IoT devices.

Yet another option, is to use your own DHCP server and have that dish out the DNS resolvers. If you've a Raspberry Pi or similar knocking about, then Pihole comes personally recommended.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

pv
Grafter
Posts: 84
Thanks: 8
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

@bobpullen would you agree with me that if enabling SafeGuard switches one's DNS servers to to ones which spoof DNS TTL values, then it is reasonable to expect that when SafeGuard is disabled the servers are switched back to the original ones?

pv
Grafter
Posts: 84
Thanks: 8
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL


@Baldrick1 wrote:

I'm trying to imagine the impact on overall speed of having to access the DNS server every 15 minutes compared with 1 hour, Presumably you need to be interacting with the same web address for all this time? 


 

It not uncommon for DNS record TTLs to be 1 day or longer. If a 1 day TTL is spoofed by the SafeGuard DNS to 15 minutes, this potentially means that in the space of 1 day, 95 more DNS queries need to be made to the DNS server than otherwise. Now multiply that by all the other hostnames being looked up within a day.

 

As for the speed of those queries, it entirely depends on the network and DNS server conditions at the time, it could be a lot longer than several milliseconds.

 

DNS TTL exists for a good reason, and whilst there may be a valid reason for spoofing the TTL while SafeGuard is enabled, it most definitely should not be spoofing records when SafeGuard is disabled.

corringham
Seasoned Champion
Posts: 1,211
Thanks: 634
Fixes: 16
Registered: ‎25-09-2015

Re: Plusnet DNS server not respecting source TTL

Don't Plusnet have a way of resetting the RADIUS assigned DNS resolvers at all? There is obviously a mechanism to change them when SafeGuard is enabled - surely a similar mechanism is possible when it is disabled.

I'm glad I run my own DNS (and e-mail, and http, etc.) servers!

pv
Grafter
Posts: 84
Thanks: 8
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

It gets worse. I now realise the default Plusnet DNS servers have DNSSEC enabled, but the SafeGuard DNS servers do not. So not only am I assigned servers which cause excessive DNS queries, they also do not check DNS record authenticity.

 

I would very much appreciate being returned to the original DNS servers @bobpullen . There must be a way to do it.

 

Default DNS server (DNSSEC enabled, AD-flag present):

 

C:\>dig pir.org @212.159.13.49

; <<>> DiG 9.14.4 <<>> pir.org @212.159.13.49
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20333
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pir.org.                       IN      A

;; ANSWER SECTION:
pir.org.                300     IN      A       97.107.141.235

;; AUTHORITY SECTION:
pir.org.                300     IN      NS      ns1.ams1.afilias-nst.info.
pir.org.                300     IN      NS      ns1.mia1.afilias-nst.info.
pir.org.                300     IN      NS      ns1.yyz1.afilias-nst.info.
pir.org.                300     IN      NS      ns1.sea1.afilias-nst.info.

;; Query time: 346 msec
;; SERVER: 212.159.13.49#53(212.159.13.49)
;; WHEN: Sat Aug 10 19:45:07 GMT Summer Time 2019
;; MSG SIZE  rcvd: 160

 

SafeGuard DNS server (DNSSEC disabled, AD-flag missing):

 

C:\>dig pir.org @213.120.234.42

; <<>> DiG 9.14.4 <<>> pir.org @213.120.234.42
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48878
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pir.org.                       IN      A

;; ANSWER SECTION:
pir.org.                300     IN      A       97.107.141.235

;; Query time: 211 msec
;; SERVER: 213.120.234.42#53(213.120.234.42)
;; WHEN: Sat Aug 10 19:45:23 GMT Summer Time 2019
;; MSG SIZE  rcvd: 52