Upcoming DNS changes

[Guest]

I like the mousetrap, but as a network administrator, might I please suggest that your error message page, as seen at http://dns-blocked.sonic.net/, be changed to say who is responsible for the technical measures to block access, and also for the characterization of the site as malicious.

With so many points where a request for a malicious web site might be intercepted--the browser, a firewall on the user's computer, a firewall on the local network, the local DNS servers, the ISP's DNS servers--and even more sources of reputation information, it's important for anyone helping a user with a problem reaching a legitimate site to know how it was blocked and by whom.

It might also be appropriate to say, near the "Think this is blocked in error?" form, who will receive the user's report, what they will do with it, and how soon (or even if) they will respond.

I realize that you may not want to receive support calls about blocked sites, nor to lead naïve users into trouble, and I'm not asking that you add contact information or instructions for bypassing the block, just some basic information to save time in troubleshooting.

Thank you for considering my comments.

[lr]

If I understand this right, this only affects the DNS server that Sonic provides for its connectivity/bandwidth customers, right? Sonic's own servers (such as http://www.sonic.net, mail.sonic.net, imap.sonic.net, forums.sonic.net and so on) will continue to have normal DNS records that are visible from everywhere, right? I do not have to configure my systems to use DNSSEC etc. just to access Sonic's servers, right?

I use an independent ISP for connectivity from home (since Sonic doesn't have any service in my area), and I have my DNS set up to go right to the root servers (I run a full bind at home), but only as a caching server (I do not transfer zones from anyone). I use Sonic for e-mail and for hosting various domains, for which it does fabulously well. Since my DNS "resolver" (which in my case is a full bind setup) doesn't rely on Sonic's nameservers (and not even on my ISP's name servers), this change should not affect me, right?

[kgc]

I like the mousetrap, but as a network administrator, might I please suggest that your error message page, as seen at http://dns-blocked.sonic.net/, be changed to say who is responsible for the technical measures to block access, and also for the characterization of the site as malicious.

Many of our wholesale partner's customers use our name servers as well and so we need to avoid branding on things like this to prevent confusion. It isn't practical (or really, possible) for the dns servers to know about each end user and return the appropriate page branded for the end user. The point is taken that the page could contain the phrase "your isp" or something to that affect to make it clear who the acting party was.

[augie]

If I understand this right, this only affects the DNS server that Sonic provides for its connectivity/bandwidth customers, right? Sonic's own servers (such as http://www.sonic.net, mail.sonic.net, imap.sonic.net, forums.sonic.net and so on) will continue to have normal DNS records that are visible from everywhere, right? I do not have to configure my systems to use DNSSEC etc. just to access Sonic's servers, right?

Correct.

[augie]

Update 26, February — Stage one is complete, Los Angeles customers are now using the new DNS services.

[Guest]

Regarding "Closing our DNS servers to off network requests" could you clarify whether this means that 208.201.252.11 and .33 will be unavailable for use off-network in every way, or whether it means Sonic will not provide hosting of DNS records for off-network domains ?

In other words, if I am at Starbucks (rather than a bus that has Sonic.net wifi) and my laptop is preconfigured to use .11 for dns lookup, will it work ?

And should we expect those addresses to continue to ping from off-network ? Having memorized those numbers long ago, they are always the ones I use for troubleshooting when people say "my internet stopped working" etc.

Ann

[kgc]

In other words, if I am at Starbucks (rather than a bus that has Sonic.net wifi) and my laptop is preconfigured to use .11 for dns lookup, will it work ?

Short answer: No.

You should still be able to ping them from off-network and this has no bearing on domains hosted on our authoritative dns servers. (a/b/c.auth-ns.sonic.net)

[joemuller]

Regarding "Closing our DNS servers to off network requests" could you clarify whether this means that 208.201.252.11 and .33 will be unavailable for use off-network in every way, or whether it means Sonic will not provide hosting of DNS records for off-network domains ?

In other words, if I am at Starbucks (rather than a bus that has Sonic.net wifi) and my laptop is preconfigured to use .11 for dns lookup, will it work ?

And should we expect those addresses to continue to ping from off-network ? Having memorized those numbers long ago, they are always the ones I use for troubleshooting when people say "my internet stopped working" etc.

Ann

If you do need a DNS server to use for testing, Google currently runs a free server at 8.8.8.8. I don't know how long it will remain open, but I've found it handy for performing lookups against the greater WWW.

[Guest]

If you do need a DNS server to use for testing, Google currently runs a free server at 8.8.8.8. I don't know how long it will remain open, but I've found it handy for performing lookups against the greater WWW.

Google public DNS servers https://developers.google.com/speed/public-dns/

[augie]

For those interested, here is the list of Sonic.net recursive name servers:

https://wiki.sonic.net/wiki/List_of_rec ... NS_servers