Plusnet DNS server not respecting source TTL
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Fibre Broadband
- :
- Plusnet DNS server not respecting source TTL
Re: Plusnet DNS server not respecting source TTL
09-08-2019 4:30 PM - edited 09-08-2019 4:31 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
There seems to be confusion about the problem here. The original post shows that the DNS server being queried is 213.120.234.42 and that is the Plusnet Safeguard DNS.
That is returning a short TTL. The TTL gives the time that the client can use that address before having to look it up again. A short TTL will increase the number of DNS lookups. I believe that is the problem being reported.
I expect that the reason is to ensure that DNS lookups are made frequently, so that any sites that become "banned" are in fact banned within a short time period, rather than having to wait for a very long TTL to expire. That makes the Safeguard more effective. So I believe that it isn't a bug, but a feature.
Simply not using the Safeguard DNS will avoid the issue (other "safe" DNS services are available, but they may take a similar approach).
Re: Plusnet DNS server not respecting source TTL
09-08-2019 4:45 PM - edited 09-08-2019 4:48 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@corringham is right.
@pv, it's an interesting observation.
For clarity, the Plusnet default DNS resolvers are 212.159.6.9, 212.159.6.10, 212.159.13.49 & 212.159.13.50 (anycast addresses so doesn't really matter which you use). These resolvers do not exhibit the behaviour being reported.
213.120.234.38 and 213.120.234.42 are the Safeguard DNS resolvers, however the service does not need to be switched on/active in order for you to be assigned these resolvers. In fact, if you have ever switched Safeguard on, even if it was momentarily, you will always be automatically assigned these DNS addresses.
I'm unable to explain the TTL behaviour of the Safeguard resolvers with any authority, but I've a suspicion there's going to be a good reason for it. Perhaps it's there to minimise the potential for delay/confusion where Safeguard is blocking something, the blocked DNS response gets cached, and the user then elects to whitelist, or disable the service to get around the blocking. Honouring a domain's TTL could theoretically result in a situation where a user is unable to get around a block without waiting an inordinate amount of time, or knowing that they need to flush their local DNS caches.
Certainly nothing worth raising a complaint about
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Plusnet DNS server not respecting source TTL
09-08-2019 4:57 PM - edited 09-08-2019 4:58 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I'm trying to imagine the impact on overall speed of having to access the DNS server every 15 minutes compared with 1 hour, Presumably you need to be interacting with the same web address for all this time?
I imagine that in the real world the difference is lost in the noise.
Moderator and Customer
If this helped - select the Thumb
If it fixed it, help others - select 'This Fixed My Problem'
Re: Plusnet DNS server not respecting source TTL
09-08-2019 5:09 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@Baldrick1 wrote:
I'm trying to imagine the impact on overall speed of having to access the DNS server every 15 minutes compared with 1 hour...
About 8ms for me.
~ $ dig bbc.co.uk @213.120.234.38 ; <<>> DiG 9.9.5-9+deb8u18-Raspbian <<>> bbc.co.uk @213.120.234.38 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61014 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;bbc.co.uk. IN A ;; ANSWER SECTION: bbc.co.uk. 220 IN A 151.101.128.81 bbc.co.uk. 220 IN A 151.101.64.81 bbc.co.uk. 220 IN A 151.101.192.81 bbc.co.uk. 220 IN A 151.101.0.81 ;; Query time: 8 msec <----- **** ;; SERVER: 213.120.234.38#53(213.120.234.38) ;; WHEN: Fri Aug 09 17:06:55 BST 2019 ;; MSG SIZE rcvd: 102
In other words: you're not going to notice it.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Plusnet DNS server not respecting source TTL
09-08-2019 7:40 PM - edited 09-08-2019 7:40 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@bobpullen wrote:
In fact, if you have ever switched Safeguard on, even if it was momentarily, you will always be automatically assigned these DNS addresses.
Thanks for your reply Bob.
That's annoying then, since I have indeed activated Safeguard in the past. Is there really no way for me to be returned to the default DNS servers?
Re: Plusnet DNS server not respecting source TTL
09-08-2019 9:32 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Plusnet DNS server not respecting source TTL
09-08-2019 9:34 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Or you could tell your systems to give me the DNS servers I was assigned before I turned on SafeGuard?
Re: Plusnet DNS server not respecting source TTL
09-08-2019 9:43 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: Plusnet DNS server not respecting source TTL
09-08-2019 9:46 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Then my question is, why was the SafeGuard system designed in such a way so as to make an irreversible switch to DNS servers which spoof the TTL values?
Re: Plusnet DNS server not respecting source TTL
09-08-2019 11:09 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
If you go onto Ebay you can pick up a business version of the BT Smarhub 6. These can be set up to work on your Plusnet account and on the business version you can set your own choice of DNS servers.
I picked one up for less that £20.
Moderator and Customer
If this helped - select the Thumb
If it fixed it, help others - select 'This Fixed My Problem'
Re: Plusnet DNS server not respecting source TTL
10-08-2019 12:18 AM - edited 10-08-2019 12:22 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Is there really no way for me to be returned to the default DNS servers?
Not easily, and we've no recognised process for doing it. One option would be to use a router that lets you override the RADIUS-assigned resolvers but neither of our default offerings permit this. I don't think the device's data model allows me to do it remotely either.
You could of course source your own router that does allow it.
Another option is to assign DNS at the device level but that's rarely practical in a world with so many smartphones/IoT devices.
Yet another option, is to use your own DHCP server and have that dish out the DNS resolvers. If you've a Raspberry Pi or similar knocking about, then Pihole comes personally recommended.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Plusnet DNS server not respecting source TTL
10-08-2019 9:07 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@bobpullen would you agree with me that if enabling SafeGuard switches one's DNS servers to to ones which spoof DNS TTL values, then it is reasonable to expect that when SafeGuard is disabled the servers are switched back to the original ones?
Re: Plusnet DNS server not respecting source TTL
10-08-2019 9:34 AM - edited 10-08-2019 9:41 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@Baldrick1 wrote:
I'm trying to imagine the impact on overall speed of having to access the DNS server every 15 minutes compared with 1 hour, Presumably you need to be interacting with the same web address for all this time?
It not uncommon for DNS record TTLs to be 1 day or longer. If a 1 day TTL is spoofed by the SafeGuard DNS to 15 minutes, this potentially means that in the space of 1 day, 95 more DNS queries need to be made to the DNS server than otherwise. Now multiply that by all the other hostnames being looked up within a day.
As for the speed of those queries, it entirely depends on the network and DNS server conditions at the time, it could be a lot longer than several milliseconds.
DNS TTL exists for a good reason, and whilst there may be a valid reason for spoofing the TTL while SafeGuard is enabled, it most definitely should not be spoofing records when SafeGuard is disabled.
Re: Plusnet DNS server not respecting source TTL
10-08-2019 10:41 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Don't Plusnet have a way of resetting the RADIUS assigned DNS resolvers at all? There is obviously a mechanism to change them when SafeGuard is enabled - surely a similar mechanism is possible when it is disabled.
I'm glad I run my own DNS (and e-mail, and http, etc.) servers!
Re: Plusnet DNS server not respecting source TTL
10-08-2019 7:54 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
It gets worse. I now realise the default Plusnet DNS servers have DNSSEC enabled, but the SafeGuard DNS servers do not. So not only am I assigned servers which cause excessive DNS queries, they also do not check DNS record authenticity.
I would very much appreciate being returned to the original DNS servers @bobpullen . There must be a way to do it.
Default DNS server (DNSSEC enabled, AD-flag present):
C:\>dig pir.org @212.159.13.49 ; <<>> DiG 9.14.4 <<>> pir.org @212.159.13.49 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20333 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pir.org. IN A ;; ANSWER SECTION: pir.org. 300 IN A 97.107.141.235 ;; AUTHORITY SECTION: pir.org. 300 IN NS ns1.ams1.afilias-nst.info. pir.org. 300 IN NS ns1.mia1.afilias-nst.info. pir.org. 300 IN NS ns1.yyz1.afilias-nst.info. pir.org. 300 IN NS ns1.sea1.afilias-nst.info. ;; Query time: 346 msec ;; SERVER: 212.159.13.49#53(212.159.13.49) ;; WHEN: Sat Aug 10 19:45:07 GMT Summer Time 2019 ;; MSG SIZE rcvd: 160
SafeGuard DNS server (DNSSEC disabled, AD-flag missing):
C:\>dig pir.org @213.120.234.42 ; <<>> DiG 9.14.4 <<>> pir.org @213.120.234.42 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48878 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pir.org. IN A ;; ANSWER SECTION: pir.org. 300 IN A 97.107.141.235 ;; Query time: 211 msec ;; SERVER: 213.120.234.42#53(213.120.234.42) ;; WHEN: Sat Aug 10 19:45:23 GMT Summer Time 2019 ;; MSG SIZE rcvd: 52
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Fibre Broadband
- :
- Plusnet DNS server not respecting source TTL