I have multiple clients and problems internally using 4.2.2.2 and 4.2.2.1 for DNS. My Nagios server was using these as well and has been throwing false postives since 5-8-2009..... Anyone else having problems?.... --chris
On May 11, 2009, at 2:48 PM, ChrisSerafin wrote:
I have multiple clients and problems internally using 4.2.2.2 and 4.2.2.1 for DNS. My Nagios server was using these as well and has been throwing false postives since 5-8-2009.....
Anyone else having problems?....
Works here. However, we are downstream of Level 3 / as3356. I heard a rumor they ACL'ed queries from sources outside their downstream cone. -- TTFN, patrick
I can report that the 4.2.2.x DNS servers have been unreliable and almost unusable for a few days from one location I maintain. I'm guessing they've grown tired of being the free-for-all recursive DNS servers of choice. Matt Whitted Hosting Director -- Pantek, Inc. - http://www.pantek.com/ - info@pantek.com +1-877-LINUX-FIX - Expert Open Source Technical Support 2008 Inductee to the prestigious Weatherhead 100 Patrick W. Gilmore wrote:
On May 11, 2009, at 2:48 PM, ChrisSerafin wrote:
I have multiple clients and problems internally using 4.2.2.2 and 4.2.2.1 for DNS. My Nagios server was using these as well and has been throwing false postives since 5-8-2009.....
Anyone else having problems?....
Works here.
However, we are downstream of Level 3 / as3356. I heard a rumor they ACL'ed queries from sources outside their downstream cone.
Patrick W. Gilmore wrote:
Works here.
However, we are downstream of Level 3 / as3356. I heard a rumor they ACL'ed queries from sources outside their downstream cone.
Based on some (relatively unscientific) experimentation, this does appear to be true. From sources that reach 4.2.2.1 via what appear to be peering links (such as an XO / Level(3) interconnect) queries time out, while sources that reach 4.2.2.1 via what appear to be transit links have no problems with consistent resolution. I can't really blame them, as a) open recursive DNS servers are rife for DNS amplification abuse, and b) this must be an enormous resource consumer for them. Probably a boon for OpenDNS and any others in the open/semi-open resolver space. Regards, Tim -- Tim Wilde, Senior Software Engineer, Team Cymru, Inc. twilde@cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
Tim Wilde wrote:
Patrick W. Gilmore wrote:
Works here.
However, we are downstream of Level 3 / as3356. I heard a rumor they ACL'ed queries from sources outside their downstream cone.
Based on some (relatively unscientific) experimentation, this does appear to be true. From sources that reach 4.2.2.1 via what appear to be peering links (such as an XO / Level(3) interconnect) queries time out, while sources that reach 4.2.2.1 via what appear to be transit links have no problems with consistent resolution.
I can't really blame them, as a) open recursive DNS servers are rife for DNS amplification abuse, and b) this must be an enormous resource consumer for them. Probably a boon for OpenDNS and any others in the open/semi-open resolver space.
Just to throw some unscientific information in the mix, I can query them from AS11170 downstream of Sprint (best path) and SAVVIS. Only did two queries though, so it's not a good reliability test. ;) ~Seth
I should clarify they work fine sometimes, so they are not down, but flapping...... ChrisSerafin wrote:
I have multiple clients and problems internally using 4.2.2.2 and 4.2.2.1 for DNS. My Nagios server was using these as well and has been throwing false postives since 5-8-2009.....
Anyone else having problems?....
--chris _______________________________________________ outages mailing list outages@outages.org https://puck.nether.net/mailman/listinfo/outages ------------------------------------------------------------------------
No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.325 / Virus Database: 270.12.24/2108 - Release Date: 05/11/09 05:52:00
I have also been told that Level 3 was starting to ACL these off, so if your connections are load balanced to where the route to these servers is sometimes via Level 3 and sometimes not, that could be your issue. Also while these servers have been around for some time and are great to use in a pinch or for testing, they are not officially supported servers and are not what Level 3 would ever give a direct customer to use, so you should generally avoid using them for anything production, especially without other resolvers in your list. -Scott -----Original Message----- From: outages-bounces@outages.org [mailto:outages-bounces@outages.org] On Behalf Of ChrisSerafin Sent: Monday, May 11, 2009 3:09 PM To: outages@outages.org Subject: Re: [outages] 4.2.2.x DNS? I should clarify they work fine sometimes, so they are not down, but flapping...... ChrisSerafin wrote:
I have multiple clients and problems internally using 4.2.2.2 and 4.2.2.1 for DNS. My Nagios server was using these as well and has been throwing false postives since 5-8-2009.....
Anyone else having problems?....
--chris _______________________________________________ outages mailing list outages@outages.org https://puck.nether.net/mailman/listinfo/outages ------------------------------------------------------------------------
No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.325 / Virus Database: 270.12.24/2108 - Release Date: 05/11/09 05:52:00
_______________________________________________ outages mailing list outages@outages.org https://puck.nether.net/mailman/listinfo/outages
----- "Scott Berkman" <scott@sberkman.net> wrote:
Also while these servers have been around for some time and are great to use in a pinch or for testing, they are not officially supported servers and are not what Level 3 would ever give a direct customer to use, so you should generally avoid using them for anything production, especially without other resolvers in your list.
Configuring anycast isn't the easiest thing to do; if they're *not* "officially supported" even for L3 customers (which, happily, I am), then why *do* the still operate them? Cause they have the coolest IP addresses on the Internet? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Start a man a fire, and he'll be warm all night. Set a man on fire, and he'll be warm for the rest of his life.
On Mon, May 11, 2009 at 03:55:18PM -0400, Jay R. Ashworth wrote:
----- "Scott Berkman" <scott@sberkman.net> wrote:
Also while these servers have been around for some time and are great to use in a pinch or for testing, they are not officially supported servers and are not what Level 3 would ever give a direct customer to use, so you should generally avoid using them for anything production, especially without other resolvers in your list.
Configuring anycast isn't the easiest thing to do; if they're *not* "officially supported" even for L3 customers (which, happily, I am), then why *do* the still operate them? Cause they have the coolest IP addresses on the Internet?
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Start a man a fire, and he'll be warm all night. Set a man on fire, and he'll be warm for the rest of his life. _______________________________________________ outages mailing list outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Which is why everyone I know uses them, and they have to be the single biggest self inflicted point of failure on the net! Jay R. Ashworth wrote:
----- "Scott Berkman" <scott@sberkman.net> wrote:
Also while these servers have been around for some time and are great to use in a pinch or for testing, they are not officially supported servers and are not what Level 3 would ever give a direct customer to use, so you should generally avoid using them for anything production, especially without other resolvers in your list.
Configuring anycast isn't the easiest thing to do; if they're *not* "officially supported" even for L3 customers (which, happily, I am), then why *do* the still operate them? Cause they have the coolest IP addresses on the Internet?
Cheers, -- jra
------------------------------------------------------------------------
No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.325 / Virus Database: 270.12.24/2108 - Release Date: 05/11/09 05:52:00
----- "ChrisSerafin" <chris@chrisserafin.com> wrote:
Cause they have the coolest IP addresses on the Internet?
Which is why everyone I know uses them, and they have to be the single biggest self inflicted point of failure on the net!
Well, nowhere is it written that you can't anycast those particular 6 IPs to *your own* network's resolver servers, is it now? :-) Cheers, -- jr 'yeah, I know it's evil, but it's a special case' a -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Start a man a fire, and he'll be warm all night. Set a man on fire, and he'll be warm for the rest of his life.
On May 11, 2009, at 4:49 PM, Jay R. Ashworth wrote:
----- "ChrisSerafin" <chris@chrisserafin.com> wrote:
Cause they have the coolest IP addresses on the Internet?
Which is why everyone I know uses them, and they have to be the single biggest self inflicted point of failure on the net!
Well, nowhere is it written that you can't anycast those particular 6 IPs to *your own* network's resolver servers, is it now? :-)
I don't know, isn't it written somewhere "thou shalt not use my IP space for your own equipment"?
-- jr 'yeah, I know it's evil, but it's a special case' a
I'm sure everyone who does something evil thinks that. :) -- TTFN, patrick
On May 11, 2009, at 4:36 PM, ChrisSerafin wrote:
Which is why everyone I know uses them, and they have to be the single biggest self inflicted point of failure on the net!
If by 'self inflicted' you mean "I used their resources without asking or permission, and now they took those resources away making me fail", then we agree. BTW, setting up anycast NSes is trivial. And Jay knows this. :) -- TTFN, patrick
Jay R. Ashworth wrote:
----- "Scott Berkman" <scott@sberkman.net> wrote:
Also while these servers have been around for some time and are great to use in a pinch or for testing, they are not officially supported servers and are not what Level 3 would ever give a direct customer to use, so you should generally avoid using them for anything production, especially without other resolvers in your list.
Configuring anycast isn't the easiest thing to do; if they're *not* "officially supported" even for L3 customers (which, happily, I am), then why *do* the still operate them? Cause they have the coolest IP addresses on the Internet?
Cheers, -- jra
------------------------------------------------------------------------
No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.325 / Virus Database: 270.12.24/2108 - Release Date: 05/11/09 05:52:00
_______________________________________________ outages mailing list outages@outages.org https://puck.nether.net/mailman/listinfo/outages
On Mon, 11 May 2009 15:36:40 CDT, ChrisSerafin said:
Which is why everyone I know uses them, and they have to be the single biggest self inflicted point of failure on the net!
L3 took a hint from Randy Bush and encourages their competitors to.... No, it's just too easy, like shooting fish in a barrel. ;)
On Mon, May 11, 2009 at 01:48:54PM -0500, ChrisSerafin wrote:
I have multiple clients and problems internally using 4.2.2.2 and 4.2.2.1 for DNS. My Nagios server was using these as well and has been throwing false postives since 5-8-2009.....
Anyone else having problems?....
I assume no one took the time to explain to you that using either of the Level 3 public recursive nameservers for long-term use is considered rude and can possibly get you blocked from using them? Please consider running your own caching nameserver, use your uplink provider's DNS servers, or both (caching nameserver + forwarders feature). Both 4.2.2.1 and 4.2.2.2 behave fine, tested from 4 different physical locations (two regions in northern California, Arizona, and Virginia): $ dig @4.2.2.1 a www.google.com. ; <<>> DiG 9.4.3-P2 <<>> @4.2.2.1 a www.google.com. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60360 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 16742 IN CNAME www.l.google.com. www.l.google.com. 21 IN A 74.125.155.147 www.l.google.com. 21 IN A 74.125.155.99 www.l.google.com. 21 IN A 74.125.155.103 www.l.google.com. 21 IN A 74.125.155.104 -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
participants (10)
-
ChrisSerafin -
Dale Amon -
Jay R. Ashworth -
Jeremy Chadwick -
Matt Whitted -
Patrick W. Gilmore -
Scott Berkman -
Seth Mattinen -
Tim Wilde -
Valdis.Kletnieks@vt.edu