cancel
Showing results for 
Search instead for 
Did you mean: 

Plusnet DNS server not respecting source TTL

Community Gaffer
Community Gaffer
Posts: 13,918
Thanks: 1,443
Fixes: 119
Registered: ‎04-04-2007

Re: Plusnet DNS server not respecting source TTL

Another valid observation it seems, but I'd argue again that real-life implications are marginal. I believe the number of signed domains out there only totals a few percent.

C:\>dig pir.org @212.159.13.49

Same results if you query the router's forwarder? i.e. 192.168.1.254. As that's what your local clients will be using.

I'll ask about regarding the ability to reassign the Plusnet resolvers, but I wouldn't hold your breath because it's definitely not possible without some degree of 'hacking' outside of the normal system capability we have.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

pv
Dabbler
Posts: 22
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

You regard DNSSEC as important enough to enable on your default DNS servers so that's one level of protection I've lost.

 

A better test is to query a DNS record with an invalid key (see below).

 

Again, maybe there's a valid reason for both spoofing TTL and disabling DNSSEC on your SafeGuard servers, but once I turn SafeGuard off I should be returned to the normal DNS servers with the default feature set.

 

Plusnet default DNS server (DNSSEC rejects invalid DNS record)

 

C:\>dig @212.159.13.49 dnssec-failed.org

; <<>> DiG 9.14.4 <<>> @212.159.13.49 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21852
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; Query time: 785 msec
;; SERVER: 212.159.13.49#53(212.159.13.49)
;; WHEN: Mon Aug 12 11:51:28 GMT Summer Time 2019
;; MSG SIZE  rcvd: 46

 

Plusnet SafeGuard DNS server (doesn't care about record being bogus):

 

C:\>dig @213.120.234.42 dnssec-failed.org

; <<>> DiG 9.14.4 <<>> @213.120.234.42 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 702
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; ANSWER SECTION:
dnssec-failed.org.      900     IN      A       69.252.80.75

;; Query time: 149 msec
;; SERVER: 213.120.234.42#53(213.120.234.42)
;; WHEN: Mon Aug 12 11:51:41 GMT Summer Time 2019
;; MSG SIZE  rcvd: 62

 

pv
Dabbler
Posts: 22
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

Also I'm just one user, even if you manage to get my own DNS servers back to default, which you say is looking unlikely, everyone else who has enabled and later disabled SafeGuard is affected.

 

What you really should be doing is improving the SafeGuard system to revert everyone who switches off SafeGuard back to the default DNS servers. I really can't imagine this would be a major alteration to the system.

Community Gaffer
Community Gaffer
Posts: 13,918
Thanks: 1,443
Fixes: 119
Registered: ‎04-04-2007

Re: Plusnet DNS server not respecting source TTL


@bobpullen wrote:

Same results if you query the router's forwarder? i.e. 192.168.1.254. As that's what your local clients will be using.


I realise you won't have been in a position to test this, so I checked myself and can confirm that the local forwarding of the router still honours the authenticated domain results.


Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Highlighted
pv
Dabbler
Posts: 22
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

Indeed if I were still assigned the default DNS servers I would be forwarding queries to the router which would serve me DNSSEC-protected results.

 

No such luck with the SafeGuard server I am apparently permanently assigned (this query should fail):

 

C:\>dig dnssec-failed.org

; <<>> DiG 9.14.4 <<>> dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46083
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; ANSWER SECTION:
dnssec-failed.org.      900     IN      A       69.252.80.75

;; Query time: 129 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Mon Aug 12 22:09:11 GMT Summer Time 2019
;; MSG SIZE  rcvd: 62
pv
Dabbler
Posts: 22
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

Any news on getting my DNS servers reverted to default @bobpullen  ?

 

By the way I appreciate your help looking into this despite me not having the resolution I'd like thus far.