Upcoming DNS changes

General discussions and other topics.
67 posts Page 5 of 7
by bbusby » Wed Mar 06, 2013 5:27 pm
Did I overlook an e-mail announcment about this change? I've been a member of Sonic for 16 years, and it was unpleasant to see the bland, generic "Update your DNS Settings" error message this morning. I second the earlier comment about identifying the source of the error message. It took a bit of troubleshooting to regain internet access, and some Googling before I could tell the error was legitimate and from Sonic. We use Comcast for high-speed at our home, but I have kept Sonic for several reasons, including the use of your DNS servers. I'm sorry to see that disappear. Could you please shed some light as to why off-network use of the DNS servers is so bad? Is it really that much easier to hack, or such a bad drain on resources? Makes me wish that DNS servers could be authenticated like other servers.

-- Hans[/quote]

I suspect it was done for an expanding base of simple internet-using folk (like me). This was the case when the spam-call blocking went into effect. I know I'm happy not to get so many "duct and/or carpet cleaning" robo-calls.
The call-blocker has an off button as would using the alternate DNS servers.

That said, can someone Sonic opine as to whether bolt will use the new or old DNS servers? I use lynx there to self-diagnose some suspicious-looking sites.
by augie » Wed Mar 06, 2013 5:36 pm
Bolt is using the "new" DNS servers that include the DNSSEC and RPZ features:

<augie@bolt> ~ $ cat /etc/resolv.conf
options timeout:1 attempts:5 rotate
search sonic.net
nameserver 208.201.224.33
nameserver 208.201.224.11
by bbusby » Wed Mar 06, 2013 5:50 pm
augie wrote:Bolt is using the "new" DNS servers that include the DNSSEC and RPZ features:

<augie@bolt> ~ $ cat /etc/resolv.conf
options timeout:1 attempts:5 rotate
search sonic.net
nameserver 208.201.224.33
nameserver 208.201.224.11
Rats -- that's why I'm seeing "Warning, WARNING Will Robinson!!" (OK: "It's a trap!").

Is there an environment vegetable that would cause lynx to resolve through the "unclean" servers? There's not much harm one can do to a text-only bowser.
by kgc » Wed Mar 06, 2013 5:56 pm
Not without some contrivance on your part - one option is to use a vm on your desktop running whatever and configured to use the opt out name servers that you could use to check into things. (This is actually what I setup today to do the same thing.) Either that or I think you'd have to query the opt out server and then use telnet to talk to the IP address of the web server directly.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by bbusby » Wed Mar 06, 2013 6:14 pm
kgc wrote:Not without some contrivance on your part - one option is to use a vm on your desktop running whatever and configured to use the opt out name servers that you could use to check into things. (This is actually what I setup today to do the same thing.) Either that or I think you'd have to query the opt out server and then use telnet to talk to the IP address of the web server directly.
Sadly, most of the spam-bags require a browser ID to be forged (so they can send their targeted poison -- I use Opera : "lynx -useragent=Opera10.2" does the trick) ... using the IP address triggers their alarm bells and you get nowt. I'll tweak the Linux box at this end to use the "nasty" DNS box(es) as soon as I can justify a reboot. Running a VM is a large load for an audio production environment and not in my cards for the nonce.

As always, I'm grateful for the lucid tech responses you folks supply.
by mross » Wed Mar 06, 2013 9:00 pm
augie wrote:We understand that some of our customers may wish to not utilize these additional security features, and as such we are offering two opt-out servers that do not implement DNSSEC or reputation validation, the IP addresses of those servers are:

75.101.19.196
75.101.19.228
Is it very wise to advertise in a very public place that these two servers are unprotected? For malfeasants scanning for servers that aren't running DNSSEC to do some damage, would this not make Sonic.net a preferred target?

For the record, I have switched to these servers. Like others here, one of the reasons for keeping my Sonic.net account was for your DNS service. I _always_ access from outside the network, and the mega-commercial ISPs I use here in Canada (Bell and Rogers) filter DNS requests for their own "evil" purposes. VNC for DNS queries does not seem practical. As well, my Terms of Usage with Bell would seem to prohibit this.

Is there not a way to accept "read-only" connections/requests to the DNSSEC servers from the outside?
by augie » Thu Mar 07, 2013 4:44 pm
Is it very wise to advertise in a very public place that these two servers are unprotected? For malfeasants scanning for servers that aren't running DNSSEC to do some damage, would this not make Sonic.net a preferred target?
DNSSEC just offers to validate hosts that have secured their zones with DNSSEC; publishing these IPs does not represent a security threat to Sonic.net.
Is there not a way to accept "read-only" connections/requests to the DNSSEC servers from the outside?
DNS in the sense that we are talking about is all read-only already; the DNSSEC features we offer are not really related to us closing connections to off-network requests.
by mross » Fri Mar 08, 2013 12:11 pm
augie wrote:DNS in the sense that we are talking about is all read-only already; the DNSSEC features we offer are not really related to us closing connections to off-network requests.
OK. So some kind of authorization process could be implemented to allow off-network requests.

There used to be a system in place a long time ago on Sonic (we're talking late 1990s I think) for sending mail through Sonic's servers whereby off-network requests were granted if a successful Sonic authentification via POP had been made from an IP within a certain timeframe. This is before SMTP required an account and password.

In essence to send mail through the Sonic SMTP servers, you first had to check email via POP and show that you had a Sonic account.

Can this or something similar be re-implemented with regard to DNS? Such as a proxy? If http://proxydns.co/ can do it surely so can you?
by augie » Fri Mar 08, 2013 1:03 pm
mross wrote: Can this or something similar be re-implemented with regard to DNS? Such as a proxy? If http://proxydns.co/ can do it surely so can you?
I don't see us ever doing something like that.

We are not currently blocking off-network DNS traffic, and potentially we will continue to allow off-net DNS traffic and protect ourselves in other ways, but what you describe above is not something I can see us implementing.
by Guest » Fri Mar 08, 2013 7:40 pm
augie wrote:We are not currently blocking off-network DNS traffic, and potentially we will continue to allow off-net DNS traffic and protect ourselves in other ways....
Can you explain what you mean by Sonic not currently blocking off-network DNS traffic?

I lost DNS on March 5th.
67 posts Page 5 of 7

Who is online

In total there are 33 users online :: 1 registered, 0 hidden and 32 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: Google [Bot] and 32 guests