DNS issue with Telstra IP reaching Telstra NS

Discussion in 'Networking, Telephony & Internet' started by Sleepyz7z, Mar 1, 2019.

  1. Sleepyz7z

    Sleepyz7z Member

    Joined:
    Mar 16, 2016
    Messages:
    30
    Could any folk on a Telstra connection of some description (IPv4) run the following:

    nslookup beyondblue.org.au ns1.telstra.net
    (should be same command format whether windows/linux/macOS)


    and report if it resolves or times out? First 2 octets of your IP and location would be good!

    Background: have several pfsense boxes and in their default config, use unbound for DNS. Two are on Telstra connections and cannot resolve certain domains. Others, which use a mix of providers, are fine. Debug shows affected domains which use the above nameserver are timing out to queries from certain Telstra IPs (at least two Telstra connections in Adelaide, both 101.166.x.x). Doesn't appear to be routing related as they can ping/trace to ns1/0.telstra.net fine

    Thanks ladies & gents
     
    Last edited: Mar 1, 2019
  2. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    10,341
    Location:
    Melbourne
    C:\>nslookup beyondblue.org.au ns1.telstra.net
    Server: UnKnown
    Address: 139.130.4.5

    Name: beyondblue.org.au
    Address: 203.32.14.130


    no delay in response.

    cpe-121-219-xxx-xxx.bpwi-r-031.win.vic.bigpond.net.au, so hanging off a LAC in Windsor, Melbourne.
     
  3. waltermitty

    waltermitty Member

    Joined:
    Feb 19, 2016
    Messages:
    1,018
    Location:
    BRISBANE
    Do you have DNS forwarding on or is Unbound resolving and not just caching? If so, which fwders?
     
  4. OP
    OP
    Sleepyz7z

    Sleepyz7z Member

    Joined:
    Mar 16, 2016
    Messages:
    30
    No forwarding on (default config, so unbound is doing all the resolving).
     
  5. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,861
    Well, am on telstra and i can't even dns query the telstra name servers! (i dont use them normally) can query other name servers fine, yet i can ping both name servers? what the?
    can't even resolve google/telstra whatever

    melbourne 121.211
     
    Last edited: Mar 1, 2019
  6. Nobby6

    Nobby6 Member

    Joined:
    Oct 25, 2017
    Messages:
    99
    Location:
    S.E.Q


    139.130.4.5 is not a recursive server, it's an authoritative, it wont resolve domains its not serving.

    try 139.130.4.4 thats recursive.

    That said, 4.5 is authoritative for, and resolves, beyondblue.org.au
     
  7. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,861
    yeah i guessed it was not recursive, but it does not respond to nada.

    no dns reply period for any zone, not even beyondblue.org.au yet i do see it is delegated to those servers. Usually i would at least see a recursion not available.

    looks like they block direct queries from IP ranges to stop people.
     
  8. Nobby6

    Nobby6 Member

    Joined:
    Oct 25, 2017
    Messages:
    99
    Location:
    S.E.Q

    OK, I've never looked for a PM here so if it does exist ,if you want to let me know what (121.211. x.y) the x is - I dont want to know your class c (the y, keep that to yourself), and I'll see what can be done
     
  9. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,861
    121.211.43
    Telstra HFC, melbourne
    looks like sleepy op also has some ips blocked.

    But yeah icmp is fine to both ns0/ns1

    however digs to either fail for authoritive/non authoritive zones result in timeouts.
     
  10. OP
    OP
    Sleepyz7z

    Sleepyz7z Member

    Joined:
    Mar 16, 2016
    Messages:
    30
    Not getting 'refused' either, just silently dropped. Problem reports first came in a month back.

    Are you in the 'Big T' machine, Nobby6? (work or have connections to Telstra?)
     
  11. Nobby6

    Nobby6 Member

    Joined:
    Oct 25, 2017
    Messages:
    99
    Location:
    S.E.Q
    It seems there was some migration problems, should be fixed now, can you guys check to see if its all good please?
     
  12. OP
    OP
    Sleepyz7z

    Sleepyz7z Member

    Joined:
    Mar 16, 2016
    Messages:
    30
    No dice 101.166.199.x and 101.166.206.x
     
  13. Nobby6

    Nobby6 Member

    Joined:
    Oct 25, 2017
    Messages:
    99
    Location:
    S.E.Q
    which domains, just beyondblue?
     
  14. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,861
    This is what i get from the 2 telstra servers from behind my home Telstra HFC service

    Code:
    $ dig @ns0.telstra.net beyondblue.org.au
    
    ; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @ns0.telstra.net beyondblue.org.au
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    
    dig @ns1.telstra.net beyondblue.org.au
    
    ; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @ns1.telstra.net beyondblue.org.au
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    


    This is what i get from another DNS server i manage. So it does work.

    Code:
    dns1:/# dig @ns0.telstra.net beyondblue.org.au
    
    ; <<>> DiG 9.11.3 <<>> @ns0.telstra.net beyondblue.org.au
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56857
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;beyondblue.org.au.             IN      A
    
    ;; ANSWER SECTION:
    beyondblue.org.au.      300     IN      A       203.32.14.130
    
    ;; AUTHORITY SECTION:
    beyondblue.org.au.      3600    IN      NS      ns1.telstra.net.
    beyondblue.org.au.      3600    IN      NS      ns0.telstra.net.
    
    ;; Query time: 15 msec
    ;; SERVER: 139.130.204.47#53(139.130.204.47)
    ;; WHEN: Wed Mar 06 14:12:36 EST 2019
    ;; MSG SIZE  rcvd: 109
    
    dns1:/# dig @ns1.telstra.net beyondblue.org.au
    
    ; <<>> DiG 9.11.3 <<>> @ns1.telstra.net beyondblue.org.au
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59812
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
    ;; WARNING: recursion requested but not available
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;beyondblue.org.au.             IN      A
    
    ;; ANSWER SECTION:
    beyondblue.org.au.      300     IN      A       203.32.14.130
    
    ;; AUTHORITY SECTION:
    beyondblue.org.au.      3600    IN      NS      ns0.telstra.net.
    beyondblue.org.au.      3600    IN      NS      ns1.telstra.net.
    
    ;; ADDITIONAL SECTION:
    ns1.telstra.net.        3600    IN      A       139.130.4.5
    
    ;; Query time: 3 msec
    ;; SERVER: 139.130.4.5#53(139.130.4.5)
    ;; WHEN: Wed Mar 06 14:12:40 EST 2019
    ;; MSG SIZE  rcvd: 125
    
     
  15. OP
    OP
    Sleepyz7z

    Sleepyz7z Member

    Joined:
    Mar 16, 2016
    Messages:
    30
    Literally anything ns(x).telstra.net is authoritative for. I used google-fu to find a list of 10,000 domains e.g. davidjones.com.au, batteryworld.com.au etc. and they're all affected due to the fact there seems to be dropping of requests from certain addresses.

    Pretty much as evilasdeath reports above.
     
  16. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,346
    Location:
    Canberra
    Ausnog post yet?

    Just saying ;)
     
  17. Nobby6

    Nobby6 Member

    Joined:
    Oct 25, 2017
    Messages:
    99
    Location:
    S.E.Q
    You will get kicked pretty kick for end user complaints on ausnog :)

    since its responds to ping, its not a routing issue.
     
  18. Nobby6

    Nobby6 Member

    Joined:
    Oct 25, 2017
    Messages:
    99
    Location:
    S.E.Q
    Can I get traceroutes please of the Vic and SA HFC connections, looking for a common factor, there has been some rate limiting going on due to some lamer trying a DoS on that name, but thats only been going not even a week, so is unlikely the issue given you never get an answer and I get an answer everytime, as did Caspian who's in a different state.
     
  19. OP
    OP
    Sleepyz7z

    Sleepyz7z Member

    Joined:
    Mar 16, 2016
    Messages:
    30
    I didn't think to compare traceroutes from working/nonworking to be honest, as I could ping the server I pretty much thought the path wasn't a problem.. but maybe it is.

    Code:
    Tracing route to ns0.telstra.net [139.130.204.47]
    over a maximum of 30 hops:
    
      1    <1 ms    <1 ms    <1 ms  firewall.box [192.168.1.1]
      2     *        *        *     Request timed out.
      3    11 ms    31 ms    12 ms  10.63.53.131
      4    43 ms    34 ms    54 ms  10.195.185.50
      5     *        *        *     Request timed out.
      6     *        *        *     Request timed out.
      7    29 ms    31 ms    30 ms  203.50.245.241
      8    42 ms    30 ms    39 ms  ns0.telstra.net [139.130.204.47]
    
    
    Tracing route to ns1.telstra.net [139.130.4.5]
    over a maximum of 30 hops:
    
      1    <1 ms    <1 ms    <1 ms  firewall.box [192.168.1.1]
      2     *        *        *     Request timed out.
      3    12 ms    12 ms    12 ms  10.63.53.131
      4    18 ms    18 ms    34 ms  10.195.184.170
      5     *        *        *     Request timed out.
      6     *        *        *     Request timed out.
      7    21 ms    21 ms    31 ms  203.50.243.241
      8    23 ms    22 ms    20 ms  ns1.telstra.net [139.130.4.5]
     
  20. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    10,341
    Location:
    Melbourne
    if you can ping the server then you have connectivity to it, that's all a traceroute is going to show you in that regard.
     

Share This Page

Advertisement: