[AusNOG] Telstra DNS contact

Joshua Small JSmall at daraco.com.au
Tue Apr 16 11:10:56 EST 2013


Hi,

This configuration flies in the face of a long documented best practice.

According to Cisco:
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
<quote>Authoratative and recursive resolver functions should be segregated because authoritative DNS servers primarily distribute information about hosts accessible via the Internet and they are also accessible via the Internet for distributing this information</quote>

RFC 5358, Preventing Rec. NS in Reflector Attacks , October 2008
http://www.ietf.org/rfc/rfc5358.txt
<quote>In general, it is a good idea to keep  recursive and authoritative services separate as much as practical. </quote>

DJB's paper:
http://cr.yp.to/djbdns/separation.html
<quote>DNS caches should always have separate IP addresses from DNS servers. </quote>DJB also refers to the book "DNS and BIND" with quotes that affirm this.

Finally, because everyone wants to refer to BIND... http://bind10.isc.org/wiki/DesignDiagrams
BIND10 now follows djbdns behaviour and runs authoritative and recursive DNS services as separated services, with a deliberate design choice of making a recursive, authoritative server a very difficult configuration to implement.

-Joshua Small

-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Joseph Goldman
Sent: Tuesday, 16 April 2013 10:42 AM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Telstra DNS contact

Wow, just re-read my reply. Perhaps I should proof read before hitting send on busy days.

As I was (trying) to say, it does have a logical stand to query ones own authoritative servers as a priority, but I would consider it bad practice for these exact reasons I am experiencing today for this customer, and seems others have experienced in the past, more so for a big player with such a large portion of AU traffic.

I have had someone from within Telstra (a different team) contact me and is forwarding on my info to the DNS team, so props to them and hopefully I can have it resolved today :).

On 16/04/13 10:28 AM, Heinz N wrote:
>
> I had a similar problem when I was using Telstra for a secondary. 
> Their recursors apparently lookup their authorative (and secondary) 
> first when answering a query. They favour resources on their network 
> first before going external (which is logical). I had probs 
> redelegating (luckily I was running the old config in parallel so 
> there was no impact). I was not sure if my TTL or Expiry was too long 
> or what, but the problem cleared itself up a week later.
>
> Regards,
> Heinz N. (Without an AS)
>
> On Tue, 16 Apr 2013, Joseph Goldman wrote:
>
>> It's just a theory, and could be wrong, but in either case we have 
>> identified the issue to be exclusive to Telstra customers. I doubt 
>> their recursives are also their authoritives, but although some would 
>> disagree and can make some sense to look up your own authoritive 
>> servers before doing a full looking from out on the internet, but of 
>> course is a bad idea when issues like this occurs.
>>
>> On 16/04/13 9:30 AM, Andrew Jones wrote:
>>> So Telstra's recursive DNS servers are also their authoritative DNS 
>>> servers (or they forward to them)? Awesome.
>>>
>>> On 16.04.2013 09:25, Joseph Goldman wrote:
>>>> Hi List,
>>>>
>>>>  To bring some form of network discussion back to the list, I'm 
>>>> after a contact within Telstra to discuss DNS issues. There is a 
>>>> domain that Telstra appear to be hosting a zone for even though the 
>>>> domain is no longer delegated to them. This causes people on a 
>>>> Telstra tail to get the wrong results for the domain during lookup 
>>>> (Everywhere outside of Telstra's network is fine, however).
>>>>
>>>>  I tried getting through their Level 1 barriers, but I just get 
>>>> confused operators and transferred between departments.
>>>>
>>>> Thanks,
>>>> Joe
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list