Plusnet DNS server not respecting source TTL
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Fibre Broadband
- :
- Re: Plusnet DNS server not respecting source TTL
- « Previous
- Next »
Re: Plusnet DNS server not respecting source TTL
12-08-2019 8:26 AM - edited 12-08-2019 8:27 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Another valid observation it seems, but I'd argue again that real-life implications are marginal. I believe the number of signed domains out there only totals a few percent.
C:\>dig pir.org @212.159.13.49
Same results if you query the router's forwarder? i.e. 192.168.1.254. As that's what your local clients will be using.
I'll ask about regarding the ability to reassign the Plusnet resolvers, but I wouldn't hold your breath because it's definitely not possible without some degree of 'hacking' outside of the normal system capability we have.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Plusnet DNS server not respecting source TTL
12-08-2019 12:01 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
You regard DNSSEC as important enough to enable on your default DNS servers so that's one level of protection I've lost.
A better test is to query a DNS record with an invalid key (see below).
Again, maybe there's a valid reason for both spoofing TTL and disabling DNSSEC on your SafeGuard servers, but once I turn SafeGuard off I should be returned to the normal DNS servers with the default feature set.
Plusnet default DNS server (DNSSEC rejects invalid DNS record)
C:\>dig @212.159.13.49 dnssec-failed.org ; <<>> DiG 9.14.4 <<>> @212.159.13.49 dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21852 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; Query time: 785 msec ;; SERVER: 212.159.13.49#53(212.159.13.49) ;; WHEN: Mon Aug 12 11:51:28 GMT Summer Time 2019 ;; MSG SIZE rcvd: 46
Plusnet SafeGuard DNS server (doesn't care about record being bogus):
C:\>dig @213.120.234.42 dnssec-failed.org ; <<>> DiG 9.14.4 <<>> @213.120.234.42 dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 702 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; ANSWER SECTION: dnssec-failed.org. 900 IN A 69.252.80.75 ;; Query time: 149 msec ;; SERVER: 213.120.234.42#53(213.120.234.42) ;; WHEN: Mon Aug 12 11:51:41 GMT Summer Time 2019 ;; MSG SIZE rcvd: 62
Re: Plusnet DNS server not respecting source TTL
12-08-2019 12:27 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Also I'm just one user, even if you manage to get my own DNS servers back to default, which you say is looking unlikely, everyone else who has enabled and later disabled SafeGuard is affected.
What you really should be doing is improving the SafeGuard system to revert everyone who switches off SafeGuard back to the default DNS servers. I really can't imagine this would be a major alteration to the system.
Re: Plusnet DNS server not respecting source TTL
12-08-2019 5:30 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@bobpullen wrote:
Same results if you query the router's forwarder? i.e. 192.168.1.254. As that's what your local clients will be using.
I realise you won't have been in a position to test this, so I checked myself and can confirm that the local forwarding of the router still honours the authenticated domain results.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Plusnet DNS server not respecting source TTL
12-08-2019 10:12 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Indeed if I were still assigned the default DNS servers I would be forwarding queries to the router which would serve me DNSSEC-protected results.
No such luck with the SafeGuard server I am apparently permanently assigned (this query should fail):
C:\>dig dnssec-failed.org ; <<>> DiG 9.14.4 <<>> dnssec-failed.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46083 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; ANSWER SECTION: dnssec-failed.org. 900 IN A 69.252.80.75 ;; Query time: 129 msec ;; SERVER: 192.168.1.254#53(192.168.1.254) ;; WHEN: Mon Aug 12 22:09:11 GMT Summer Time 2019 ;; MSG SIZE rcvd: 62
Re: Plusnet DNS server not respecting source TTL
16-08-2019 11:57 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Any news on getting my DNS servers reverted to default @bobpullen ?
By the way I appreciate your help looking into this despite me not having the resolution I'd like thus far.
Re: Plusnet DNS server not respecting source TTL
21-08-2019 7:49 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Plusnet DNS server not respecting source TTL
16-10-2019 11:27 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi @bobpullen ,
I had a PPP outage overnight. When it came back up my DNS servers were reset to default (.9 and .10), with DNSSEC support and without TTL spoofing. Good news!
Can you advise whether this was a one-off event on my account, or whether customer DNS servers are now being returned to defaults when disabling Safeguard?
Re: Plusnet DNS server not respecting source TTL
16-10-2019 1:27 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Interesting.
Nothing has been communicated to me so let me ask some questions...
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Plusnet DNS server not respecting source TTL
17-10-2019 10:51 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@pv, turns out your DNS assignment was moved back as part of a clean-up exercise.
So to answer your question: it's a one-off event (although we might do it periodically), it has been applied to other customers' accounts too, and the system is still not automatically re-assigning Plusnet DNS when the service is turned off.
For the latter, we'll continue to explore the feasibility of changing this behaviour as we recognise there are benefits.
TL/DR: Don't turn the service back on
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Plusnet DNS server not respecting source TTL
17-10-2019 1:39 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Thanks for the clarification, I'm glad to be back on the defaults.
- « Previous
- Next »
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Fibre Broadband
- :
- Re: Plusnet DNS server not respecting source TTL