[SANOG] Fwd: Bad firewall/nameserver behaviour causing timeouts of DNS queries.
Suresh Ramasubramanian
suresh at hserus.net
Wed Jun 22 06:33:25 UTC 2016
Quite a few apac based dns servers here including several in India.
> Begin forwarded message:
>
> From: Mark Andrews <marka at isc.org>
> Subject: Bad firewall/nameserver behaviour causing timeouts of DNS queries.
> Date: 22 June 2016 at 11:47:57 AM IST
> To: nanog at nanog.org
>
>
> The following nameservers for Alexa top 1M names fail to respond
> to EDNS queries with EDNS options specified or fail to respond to
> consecutive EDNS queries. These have been run through the checks
> multiple times to reduce the probability of false positives as
> timeout can be the due to multiple causes.
>
> For many there are other errors that should also be addressed.
>
> This misbehaviour can cause DNSSEC validation to FAIL when the
> servers serve signed zones.
>
> This misbehaviour does result in significantly slower DNS resolution
> (multiple seconds).
>
> You can test your servers at https://ednscomp.isc.org/
>
> This is sent here because both SOA and whois contact details are
> wrong too often to bother trying to send to these addresses even
> if whois was easy to parse.
>
> Please fix your firewalls / nameservers as they are causing operational
> problems.
>
> Mark
>
> lb.pagofacil.com.ar lb.pagofacil.com.ar lb.pagofacil.com.ar
> server.inet.edu.ar siet.inet.edu.ar ns2.pillar.com.au ns1.agric.wa.gov.au
> ns2.agric.wa.gov.au ns3.agric.wa.gov.au ns1.win.be ns2.win.be
> ns.ahlia.edu.bh lb3.ache.com.br ns2.bibliomed.com.br
> ns3.caixaseguros.com.br sdccd01.light.com.br ns1.poupex.com.br
> ns3.poupex.com.br ns1.semparar.com.br ns2.semparar.com.br
> creaprw12.crea-pr.org.br dns5.allstate.ca ns1.bellnhs.ca ns3.bellnhs.ca
> ns5.bellnhs.ca ns1.cpr.ca ns2.cpr.ca ns1.cnsc-ccsn.gc.ca
> ns2.cnsc-ccsn.gc.ca ns1.knowledgeone.ca ns2.knowledgeone.ca ns3.mmms.ca
> gemini.hrsb.ns.ca ns.city.windsor.on.ca ns2.city.windsor.on.ca
> ns1.thomascookgroup.ca ns2.thomascookgroup.ca ns1.bger.ch ns2.bger.ch
> dn2.1.cl ns.autopistacentral.cl peumo.bancoconsorcio.cl
> roble.bancoconsorcio.cl dns.bci.cl dns2.bci.cl ns.subtel.cl
> nsaut.tie.cl ns2.sina.com.cn name.srit.com.cn dns.hncj.edu.cn
> dns2.hncj.edu.cn dns.hut.edu.cn dns2.hut.edu.cn dns.jju.edu.cn
> dns.lit.edu.cn dns.by.gov.cn dns2.gxeea.cn ns1.coscologistics.sh.cn
> ariadne.presidencia.gov.co bdpalacio.presidencia.gov.co ns3.360safe.com
> ns4.360safe.com ns5.360safe.com ns2.51dns.com ns8.91989.com
> ns9.91989.com ns1.advisorlynx.com ns2.advisorlynx.com ns1.aegis-k.com
> ns2.aegis-k.com ns1.affinity-petcare.com ns01.airliquide.com
> ns03.airliquide.com ns1.alidns.com ns1.alidns.com ns2.alidns.com
> ns2.alidns.com ns2.alidns.com vip1.alidns.com vip1.alidns.com
> vip1.alidns.com vip1.alidns.com vip1.alidns.com vip1.alidns.com
> vip2.alidns.com vip2.alidns.com vip2.alidns.com vip2.alidns.com
> vip2.alidns.com vip2.alidns.com vip2.alidns.com ns1.amaes.com
> ns2.amaes.com ns1.amatteroffax.com ns3.amvescap.com ns5.amvescap.com
> ns1.arcatapet.com office.arcatapet.com pridns.ascendas.com
> ns01.avanade.com ns02.avanade.com ns2.avastkorea.com det.dns.bbdo.com
> ns1.bcbsmn.com ns2.bcbsmn.com harris-ns.bcharrispub.com
> harris-ns2.bcharrispub.com bor-cp01.borouge.com bvdns.broadviewnet.com
> bvdns2.broadviewnet.com ns5.carbonlogic.com ns2.ccmnyc.com
> ns1.cmsbiztech.com ns1.corsicaferries.com ns3.corsicaferries.com
> ns4.corsicaferries.com ns1.credibanco.com ns2.credibanco.com
> cscdnscph002d.csc.com cscdnshyd002d.csc.com cscdnsklm002d.csc.com
> cscdnsmds002d.csc.com cscdnsnoi002d.csc.com cscdnssng002d.csc.com
> palladium.csc.com wserver.cyberdental.com webmail.dbfsindia.com
> ns1.deseretdigital.com ns2.deseretdigital.com huey.disney.com
> huey11.disney.com a.dnspod.com a.dnspod.com c.dnspod.com c.dnspod.com
> ns1.dnsv2.com ns1.dnsv2.com ns1.dnsv2.com ns1.dnsv2.com ns1.dnsv2.com
> ns2.dnsv2.com ns2.dnsv2.com ns2.dnsv2.com ns2.dnsv2.com ns1.dnsv3.com
> ns1.dnsv3.com ns1.dnsv3.com ns1.dnsv3.com ns1.dnsv3.com ns1.dnsv3.com
> ns2.dnsv3.com ns2.dnsv3.com ns1.dnsv4.com ns1.dnsv4.com ns1.dnsv4.com
> ns1.dnsv4.com ns1.dnsv4.com ns2.dnsv4.com ns2.dnsv4.com ns2.dnsv4.com
> ns2.dnsv4.com ns2.dnsv4.com ns2.dnsv4.com ns2.dnsv4.com ns1.dnsv5.com
> ns1.dnsv5.com ns1.dnsv5.com ns1.dnsv5.com ns1.dnsv5.com ns1.dnsv5.com
> ns1.dnsv5.com ns1.dnsv5.com ns1.dnsv5.com ns2.dnsv5.com ns2.dnsv5.com
> ns2.dnsv5.com ns2.dnsv5.com ns2.dnsv5.com ns2.dnsv5.com ns2.dnsv5.com
> ns2.dnsv5.com ns2.dnsv5.com ns03.dominos.com ns04.dominos.com
> ns05.dominos.com ns1.dynalifedx.com ns1.dynamex.com ns2.dynamex.com
> name1.eidebailly.com name2.eidebailly.com ns1.evaair.com ns2.evaair.com
> ns3.evaair.com ns4.evaair.com ns.excodaegu.com ns.fanforum.com
> ns1.fanforum.com leo.generator.com ns1.gesnetwork.com
> ns01.globalexchangetechnology.com ns02.globalexchangetechnology.com
> gtmgrin.gmrc.com gtmnew.gmrc.com ns3.gmrc.com ns4.gmrc.com
> ns2.greensburgdailynews.com dns.heffel.com dns1.hichina.com
> dns1.hichina.com dns1.hichina.com dns10.hichina.com dns10.hichina.com
> dns10.hichina.com dns11.hichina.com dns11.hichina.com dns11.hichina.com
> dns13.hichina.com dns13.hichina.com dns13.hichina.com dns14.hichina.com
> dns14.hichina.com dns14.hichina.com dns17.hichina.com dns17.hichina.com
> dns18.hichina.com dns18.hichina.com dns2.hichina.com dns2.hichina.com
> dns21.hichina.com dns21.hichina.com dns21.hichina.com dns22.hichina.com
> dns22.hichina.com dns22.hichina.com dns25.hichina.com dns25.hichina.com
> dns25.hichina.com dns26.hichina.com dns26.hichina.com dns26.hichina.com
> dns29.hichina.com dns29.hichina.com dns29.hichina.com dns30.hichina.com
> dns30.hichina.com dns30.hichina.com expirens3.hichina.com
> expirens4.hichina.com ns1.hichina.com ns1.hichina.com ns1.hichina.com
> ns2.hichina.com ns2.hichina.com ns2.hichina.com dns-na-1.hill-rom.com
> dns-na-2.hill-rom.com dns-na-3.hill-rom.com dns5.hkinventory.com
> ns2.webhost.hm-software.com ns1.hotelbb.com ns10.huntington.com
> ns11.huntington.com ns12.huntington.com ns13.huntington.com ns.ied.com
> dns3.ifrontiers.com ns2.illumen.com ns1.inet-svcs.com ns2.inet-svcs.com
> ns4a.inet-web.com ukdns.integralis.com dns3.integramed.com
> ns2.jaxsheriff.com dns1.k-line.com ns1.kds.com ns2.kds.com
> dns2.kline.com ns.krunis.com ns.kumkang.com labattdns2.labattfood.com
> ns3.lallemand.com ns4.lallemand.com ns5.lfg.com ns6.lfg.com
> gltb-ns1.srv.lukoil.com gltb-ns2.srv.lukoil.com mbsii2.mbsii.com
> fox2.mightyautoparts.com ftp.munichreamerica.com dns2.mysteel.com
> ns1.nameaction.com ns2.nameaction.com ns2.namesv.com dns.neovi.com
> ns3.nextsite.com ns1.nhimidwest.com oss.oss.com ns1.page-az.com
> capital1.pantavanij.com slmns1.paymentech.com tamns1.paymentech.com
> webserver.pcgitaly.com ah-ns.plex.com dv-ns.plex.com mail.ppe.com
> w5.ppe.com ns.procuebynet.com ns2.project-la.com ns4.regalhotel.com
> ns1lo6.reutersmedia.reuters.com ns1nj.reutersmedia.reuters.com
> ns2lo6.reutersmedia.reuters.com ns2nj.reutersmedia.reuters.com
> ns1.samudera.com southern1.scsnet.com southern2.scsnet.com
> ns4.seacomnet.com lp1000r-10194.admin.sfhs.com dns1.shift4.com
> dns2.shift4.com gtm.shlegal.com skyserver.skycode.com smans1.smaportal.com
> vm01.splendidlive.com ns1.sterling-intl.com ns2.sterling-intl.com
> ns1.techdev.com ns2.techdev.com dns1.teldat.com dnsserver.teldat.com
> mx1.telmar.com ns1.thronecomputer.com ns03.toolwire.com ns04.toolwire.com
> ns0.topgayblacksites.com ns1.tranguard.com ns3.tranguard.com
> ns2.travelbrands.com cloud3.triara.com ns1.twglobalmall.com
> jinx.ucbiz.com ns1.urix.com ns2.urix.com nschs.virgin-atlantic.com
> nsrhl.virgin-atlantic.com ns2.welcodns.com bri-ns01.wiley.com
> ns1.williams.com ns2.williams.com ns1.wiredviews.com web.wlio.com
> ns1.yourmortgageonline.com ns2.yourmortgageonline.com dns3.zeleris.com
> ns3.bccr.fi.cr ns4.bccr.fi.cr ns1.network.cr ns2.network.cr
> aragorn.autocont.cz ns.forpsi.cz ns.profireal.cz ns2.profireal.cz
> ns1.euv-frankfurt-o.de ns2.euv-frankfurt-o.de dns.ipsos.de
> ns1.suedkurier.de ns2.suedkurier-medienhaus.de dns.webtop.de
> dnskm.univ-km.dz lomanegra.jardinazuayo.fin.ec ns1.amberton.edu
> ns1.contracosta.edu ns1.gptc.edu ns1.malone.edu ns2.malone.edu
> ns5.regent.edu ns.sabanciuniv.edu ns2.sabanciuniv.edu muser252.scciowa.edu
> ns2.sidwell.edu dns.dpz.es ns2.interdigital.es crea.rae.es ns9.rae.es
> dns.registromercantilbcn.es ns2.tko.fi nimi1.website.fi nimi2.website.fi
> antares.c-strasbourg.fr erlwbi.interflora.fr
> proxy1-rech.univ-valenciennes.fr pulsar.univ-valenciennes.fr
> titan.univ-valenciennes.fr ns1.hamiltontn.gov rembrandt.masoutis.gr
> gslb1.tigo.com.gt gslb2.tigo.com.gt ns2.adsale.com.hk ns1.skhsslmc.edu.hk
> dns.matica.hr dns.plavalaguna.hr dante.univet.hu ns1.dnk.net.id
> ns1.lgcsb.ie ns2.lgcsb.ie ns1.modata.ie ns1.nethost.co.il
> ns2.nethost.co.il jbs.ac.in pdns.sit.ac.in ns1.axisbank.co.in
> ns1.tmc.gov.in ns2.tmc.gov.in ns1.teri.res.in ns2.teri.res.in
> ns1.idro.ir ns2.idro.ir ns1.isipo.ir ns1.audit.org.ir ns1.imo.org.ir
> dns.biesse.it dns.careca.it sct2.carontetourist.it dns.cpsoftware.it
> ns2.invisiblesite.it alfaterna.nuceria.it ns.sevenlab.it dns.gtt.torino.it
> cap.tuins.ac.jp dns-x.sinet.ad.jp dns2.aoshima-bk.co.jp ns.kew.co.jp
> juno.ntt-itn.co.jp vesta.ntt-itn.co.jp ns.santec.co.jp
> ns.toshiba-carrier.co.jp dns.mcinc.jp ns.hkr.ne.jp dns1.jcc.ne.jp
> ns01.netcoms.ne.jp ns.netsjapan.jp ns2.awa.or.jp lbdn.occto.or.jp
> lbdn2.occto.or.jp july.river.sun-inet.or.jp sakura.unep.or.jp
> pbant2.pba.jp pbant2.pba.jp dns2.ysu.ac.kr ns.carz.co.kr
> astra02.coreana.co.kr ns.kcm.co.kr ns.zakon.kz ns1.customs.gov.lk
> ns1.sliit.lk relay.cail.lu dns3.bkam.ma smtp-dns.douane.gov.ma
> dns1.onssa.gov.ma dns.dicj.gov.mo dns0.anahuac.mx dns1.anahuac.mx
> ns1.atento.com.mx dns1.hdi.com.mx ns2.hdi.com.mx dns.segurosatlas.com.mx
> ns1.tvsa.com.mx dca.cu.uabjo.mx ns.uabjo.mx aldebaran.2m-equation.net
> ns2.a-o-b.net ns.access-accounts.net ns2.autodata.net mail.brtk.net
> ns2.cengage.net dnssdc.dagangnet.net ns1.digitalimpact.net
> ns2.digitalimpact.net bizcn1.dnspod.net bizcn1.dnspod.net
> bizcn1.dnspod.net bizcn1.dnspod.net bizcn2.dnspod.net bizcn2.dnspod.net
> dns12.duckwood.net dns20.duckwood.net ns1.ecolon.net ns1.ecsd.net
> cobra.endless.net cebudns.epldt.net enyo2.ez2.net ns.forpsi.net
> pro2.gfdns.net dns1.hemsida.net ns1.host-web.net dns2.hostingsolutions.net
> ns1.knibs.net dev.labellum.net dns01.mathbox.net ns1.netlinksys.net
> ns30.netsupport.net ns2.oxi.net ns3.pasporte.net ns4.pasporte.net
> ns01.reyrey.net ns02.reyrey.net ns2.rj2t.net ns1.safetyhost.net
> dns1.sge.net dns2.sge.net dns3.sge.net dns4.sge.net ns.telanet.net
> ns-amers-1.thomsonreuters.net ns-amers-2.thomsonreuters.net
> ns-apac-1.thomsonreuters.net ns-apac-2.thomsonreuters.net
> ns-emea-1.thomsonreuters.net ns-emea-2.thomsonreuters.net ns4.traddns.net
> ns1.vologic.net ns2.vologic.net ns6.wgn.net ns3.xodeportal.net
> ns4.xodeportal.net ss-ns02.infocare.no ns01.prioritytelecom.no
> ns1.spsor.no ns2.spsor.no ns.freightways.co.nz dns1.clear.net.nz
> dns2.clear.net.nz kirsty.paradise.net.nz rachel.paradise.net.nz
> ns1.abp.org mc-dc-gtm1.act.org mc-dc-gtm2.act.org ns1.ecusd7.org
> ns1.jaxsheriff.org ns2.jcboe.org dc1gtm01.mercywny.org
> dc2gtm01.mercywny.org dns1.mkcl.org ns1.mozilla.org trl-dns1.tricore.org
> reinberger.wrhs.org dns1.dge.gob.pe ns1.asiaunited.com.ph
> ns1.asiaunited.com.ph ns2.asiaunited.com.ph ns2.aub.com.ph
> ns1.cityschoolnetwork.edu.pk ns0.bdm.com.pl ns2.am.szczecin.pl
> ns.aip.pt anje01.anje.pt ns2.drealentejo.pt ns3.drealentejo.pt
> ns1.ipad.mne.gov.pt farolim.min-edu.pt ns1.qiib.com.qa ns2.qiib.com.qa
> ns1.mfinante.ro ns2.mfinante.ro ns2.550550.ru ns2.croc.ru ns1.izh.ru
> ns2.izh.ru ns01.nakolesah.ru ns1.primbank.ru ns2.primbank.ru
> santa.veb.ru ns.securityservice.se pridns.dlink.com.sg pridns.stee.com.sg
> secdns.stee.com.sg merlion.iseas.edu.sg merlion2.iseas.edu.sg
> ns.aktifbank.com.tr ns.mngturizm.com.tr ns1.sarar.com.tr ns2.sarar.com.tr
> ns.kepez-bld.gov.tr inter-dns.mfa.gov.tr inter2-dns.mfa.gov.tr
> ns10.is.net.tr ns3.is.net.tr istasr.isbank.net.tr alfa.atso.org.tr
> beta.atso.org.tr cmgcdns.china-motor.com.tw ns1.clco.com.tw
> dnsc.credit.com.tw dns2.fullon-hotels.com.tw dns1.gigatms.com.tw
> dns1.him.com.tw dns1.himax.com.tw dns2.himax.com.tw sunntb.infiniti.com.tw
> dns.investor.com.tw dns1.krtco.com.tw dns2.krtco.com.tw
> ns1.luxgen-motor.com.tw ns2.luxgen-motor.com.tw idc-dns1.megasec.com.tw
> dns.scsb.com.tw dns1.tkbtv.com.tw ymtadc01.yamaha-motor.com.tw
> ymtadc02.yamaha-motor.com.tw acts.pct.org.tw lcotextdns.leeds-lcot.ac.uk
> unixa.nerc-swindon.ac.uk muppet.s-cheshire.ac.uk ns2.uxbridge.ac.uk
> ns1.skipton.co.uk ns2.skipton.co.uk ns2.smartkonect.co.uk
> ns-f5-01.spicerhaart.co.uk ns-f5-02.spicerhaart.co.uk
> smodns01.hackney.gov.uk ns.forpsi.us dl9rv21.ldol.state.la.us
> ns1.mcps.k12.md.us ns2.mcps.k12.md.us ns1.pacourts.us ns2.pacourts.us
> dns1.pittcounty.us dns2.pittcounty.us cronos.scotiabank.com.uy
> hestia.scotiabank.com.uy cedns.corteelectoral.gub.uy lancelot.dgr.gub.uy
> ingenio03.latu.org.uy dns1.hnue.edu.vn
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
> ------- End of Forwarded Message
More information about the sanog
mailing list