cancel
Showing results for 
Search instead for 
Did you mean: 

Plusnet DNS server not respecting source TTL

Highlighted
Community Gaffer
Community Gaffer
Posts: 14,572
Thanks: 2,186
Fixes: 152
Registered: ‎04-04-2007

Re: Plusnet DNS server not respecting source TTL

Another valid observation it seems, but I'd argue again that real-life implications are marginal. I believe the number of signed domains out there only totals a few percent.

C:\>dig pir.org @212.159.13.49

Same results if you query the router's forwarder? i.e. 192.168.1.254. As that's what your local clients will be using.

I'll ask about regarding the ability to reassign the Plusnet resolvers, but I wouldn't hold your breath because it's definitely not possible without some degree of 'hacking' outside of the normal system capability we have.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Highlighted
Grafter
Posts: 53
Thanks: 3
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

You regard DNSSEC as important enough to enable on your default DNS servers so that's one level of protection I've lost.

 

A better test is to query a DNS record with an invalid key (see below).

 

Again, maybe there's a valid reason for both spoofing TTL and disabling DNSSEC on your SafeGuard servers, but once I turn SafeGuard off I should be returned to the normal DNS servers with the default feature set.

 

Plusnet default DNS server (DNSSEC rejects invalid DNS record)

 

C:\>dig @212.159.13.49 dnssec-failed.org

; <<>> DiG 9.14.4 <<>> @212.159.13.49 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21852
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; Query time: 785 msec
;; SERVER: 212.159.13.49#53(212.159.13.49)
;; WHEN: Mon Aug 12 11:51:28 GMT Summer Time 2019
;; MSG SIZE  rcvd: 46

 

Plusnet SafeGuard DNS server (doesn't care about record being bogus):

 

C:\>dig @213.120.234.42 dnssec-failed.org

; <<>> DiG 9.14.4 <<>> @213.120.234.42 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 702
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; ANSWER SECTION:
dnssec-failed.org.      900     IN      A       69.252.80.75

;; Query time: 149 msec
;; SERVER: 213.120.234.42#53(213.120.234.42)
;; WHEN: Mon Aug 12 11:51:41 GMT Summer Time 2019
;; MSG SIZE  rcvd: 62

 

Highlighted
Grafter
Posts: 53
Thanks: 3
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

Also I'm just one user, even if you manage to get my own DNS servers back to default, which you say is looking unlikely, everyone else who has enabled and later disabled SafeGuard is affected.

 

What you really should be doing is improving the SafeGuard system to revert everyone who switches off SafeGuard back to the default DNS servers. I really can't imagine this would be a major alteration to the system.

Highlighted
Community Gaffer
Community Gaffer
Posts: 14,572
Thanks: 2,186
Fixes: 152
Registered: ‎04-04-2007

Re: Plusnet DNS server not respecting source TTL


@bobpullen wrote:

Same results if you query the router's forwarder? i.e. 192.168.1.254. As that's what your local clients will be using.


I realise you won't have been in a position to test this, so I checked myself and can confirm that the local forwarding of the router still honours the authenticated domain results.


Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Highlighted
Grafter
Posts: 53
Thanks: 3
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

Indeed if I were still assigned the default DNS servers I would be forwarding queries to the router which would serve me DNSSEC-protected results.

 

No such luck with the SafeGuard server I am apparently permanently assigned (this query should fail):

 

C:\>dig dnssec-failed.org

; <<>> DiG 9.14.4 <<>> dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46083
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; ANSWER SECTION:
dnssec-failed.org.      900     IN      A       69.252.80.75

;; Query time: 129 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Mon Aug 12 22:09:11 GMT Summer Time 2019
;; MSG SIZE  rcvd: 62
Grafter
Posts: 53
Thanks: 3
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

Any news on getting my DNS servers reverted to default @bobpullen  ?

 

By the way I appreciate your help looking into this despite me not having the resolution I'd like thus far.

Highlighted
Community Gaffer
Community Gaffer
Posts: 14,572
Thanks: 2,186
Fixes: 152
Registered: ‎04-04-2007

Re: Plusnet DNS server not respecting source TTL

No word as yet I'm afraid.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Highlighted
Grafter
Posts: 53
Thanks: 3
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

Hi @bobpullen ,

I had a PPP outage overnight. When it came back up my DNS servers were reset to default (.9 and .10), with DNSSEC support and without TTL spoofing. Good news!

Can you advise whether this was a one-off event on my account, or whether customer DNS servers are now being returned to defaults when disabling Safeguard?

Highlighted
Community Gaffer
Community Gaffer
Posts: 14,572
Thanks: 2,186
Fixes: 152
Registered: ‎04-04-2007

Re: Plusnet DNS server not respecting source TTL

Interesting.

Nothing has been communicated to me so let me ask some questions...

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Highlighted
Community Gaffer
Community Gaffer
Posts: 14,572
Thanks: 2,186
Fixes: 152
Registered: ‎04-04-2007

Re: Plusnet DNS server not respecting source TTL

@pv, turns out your DNS assignment was moved back as part of a clean-up exercise.

So to answer your question: it's a one-off event (although we might do it periodically), it has been applied to other customers' accounts too, and the system is still not automatically re-assigning Plusnet DNS when the service is turned off.

For the latter, we'll continue to explore the feasibility of changing this behaviour as we recognise there are benefits.

TL/DR: Don't turn the service back on Wink

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Highlighted
Grafter
Posts: 53
Thanks: 3
Registered: ‎12-06-2019

Re: Plusnet DNS server not respecting source TTL

Thanks for the clarification, I'm glad to be back on the defaults. Cool