Kitz Forum
Internet => General Internet => Topic started by: roseway on April 15, 2010, 07:26:38 AM
-
This doesn't seem to have been widely discussed, but on May 5th a new, more secure, DNS protocol is being introduced. For most users this change should happen seamlessly, but users with badly configured firewalls and customers of badly prepared ISPs may find that DNS lookups no longer work, so they can't do anything on the internet.
There's a link to an El Reg article on the subject below, and near the end of that article there are links to two ways of testing if your DNS provider is ready for this change. If you get bad results from the test, it might be worth considering a change to a different DNS provider.
http://www.theregister.co.uk/2010/04/13/dnssec/
-
Very interesting Eric. Thank you for bringing it up. I tested out OK.
-
Well I just issued the dig +short rs.dns-oarc.net txt command it it came back with the results indication a router which does not support EDNS at ip 204.74.106.104 and 204.74.106.103 which is nothing to do with my setup. So I'm a bit worried now especially as it seems there is nothing I can do. I guess I need to try to find out where this IP resides.
Stuart
-
@ Broadstairs,
Herewith a Whois scan
Kind reagrds,
Walter
Whois has started…
Internet Media Network IMN (NET-204-74-64-0-1)
204.74.64.0 - 204.74.127.255
UltraDNS Corp ULTRADNS-GLOBAL-2 (NET-204-74-96-0-1)
204.74.96.0 - 204.74.108.255
# ARIN WHOIS database, last updated 2010-04-14 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html
-
I have had a look by accessing the dns-oarc link...................and I do not understand one word of what is written there.
Surely it is not expected that a whole world full of internet users, ( most of whom are like me and just want to connect without having to understand all the technicaslities ), will have to carry out tests such as that to ensure that their connections will continue to "work". ?
Surely it will be the responsibility of the ISPs to ensure that the correct systems/protocols will be put in place ?
What is a "DNS Provider" ?
-
I have had a look by accessing the dns-oarc link...................and I do not understand one word of what is written there.
Surely it is not expected that a whole world full of internet users, ( most of whom are like me and just want to connect without having to understand all the technicaslities ), will have to carry out tests such as that to ensure that their connections will continue to "work". ?
Surely it will be the responsibility of the ISPs to ensure that the correct systems/protocols will be put in place ?
What is a "DNS Provider" ?
I was just thinking the same.I haven't a clue what it means or what to do. :no:
-
Well I changed my DNS setup to use the TalkTalk default and now I get a different set of results, still not perfect but different. It now says edns or dnssec is working but the actual buffer size is smaller (about half) the advertised size (4096 vs 1993).
Yes I do understand ordinary internet users being confused by all this tech speak and I'm sure there will be loads of calls to ISP support teams if/when things stop working.
Stuart
-
For the vast majority of internet users they will not or do not need to know the technical side of this. For the very few unfortunate ones that are liable to find that they can no longer surf, post mail or whatever it is nice there is advanced warning that it may happen.
If you found yourself in the position of not being able to access the internet you would not be able even post on here about it.
@TD I agree it is the responsibility of the isp to maintain connection to the Domain Name Server (dns), however, if an individual user has a firewall rule on their router or pc then the responsibility is the end user. Getting assistance for such as this would mean a phone call as one would not be able to do it online.
Without the DNS system there would be no internet as you know it. The DNS servers are there to convert the http://forum.kitz.co.uk into a numerical number that the entire internet works on. This is a subject in it's own right and there is plenty of information on the web if one wishes to delve into it. It's by no means necessary to know anything about it.
-
Sorry if I've caused alarm and despondency. For most people there should be no problem, and for the majority of people who use their ISP's DNS services it's certainly true to say that the ISP is responsible for ensuring that their service conforms to the new standard.
But I always think that it's better to be prepared. If you happen to be one of the unlucky few who experience problems after the changeover, you may not even have a usable internet connection to enable you to search for a solution.
Here's another way of checking, which you may find easier to use and understand. Download DNS Benchmark (http://www.grc.com/dns/benchmark.htm) and run it. You don't have to install this program, just run the executable which you downloaded. It's a Windows program, but it also works perfectly in Linux using Wine. When it's running, click the 'Nameserver' tab, then right-click in the middle part of the window; a popup menu appears, and you should click on 'Test DNSSEC Authentication'. Then click the 'Run Benchmark' button and leave it to work, which takes several minutes. A progress bar at the top lets you know how it's progressing.
When it finishes, click on the 'Conclusions' tab for a report.
(Apologies to SS44 for repeating things he already said :) )
-
No apologies necessary Roseway, you just reaffirm anything I may have said :)
-
Did the test and am reassured!
-
Did both tests (DNS Benchmark and Replysizetest). The first brings up two red conclusions, that I am using only one (my routers) nameserver configured and that the System nameserver is SLOWER than 10 public alternatives! Replysizetest says Your resolver does not have DNSSEC enabled. This has confused me and I would welcome some advice.
Am I right in thinking that the fact that DNSSEC is not enabled is because the change on 5th. May has not happened yet or should I be taking action now?
The matter of using only the routers nameserver is presumably because in the initial router internet set up it uses "Obtain DNS server address automatically" which is what I have always used in each PC set up I have configured. Would it be sensible and worthwhile to change this to using the nameservers provided by my ISP (Plusnet) as DNS Benchmark suggests? If this the way to go, is there a guide to help me accomplish this? I would be very grateful for some advice - the older I get the less I seem to know!
Tony
-
I have had a look by accessing the dns-oarc link...................and I do not understand one word of what is written there.
Surely it is not expected that a whole world full of internet users, ( most of whom are like me and just want to connect without having to understand all the technicaslities ), will have to carry out tests such as that to ensure that their connections will continue to "work". ?
Surely it will be the responsibility of the ISPs to ensure that the correct systems/protocols will be put in place ?
What is a "DNS Provider" ?
I was just thinking the same.I haven't a clue what it means or what to do. :no:
You are Both right. This is directly to do with the ISP. Zen are testing and making sure our DNS will work properly. I feel the smaller or less customer focused ISP's will not be so quick to test and hence you may see an issue. For the most part it will/should be seemless. A lot of the information is hyped up, so ask questions follow advise to check your own firewalls and modems and if you are still not sure call your ISP and ask what they are doing to check the new DNS.
-
Am I right in thinking that the fact that DNSSEC is not enabled is because the change on 5th. May has not happened yet or should I be taking action now?
Most DNS services should be enabled for DNSSEC by now, so that they're ready for when the changeover takes place. I think it would be sensible to take some action now.
The matter of using only the routers nameserver is presumably because in the initial router internet set up it uses "Obtain DNS server address automatically" which is what I have always used in each PC set up I have configured. Would it be sensible and worthwhile to change this to using the nameservers provided by my ISP (Plusnet) as DNS Benchmark suggests? If this the way to go, is there a guide to help me accomplish this? I would be very grateful for some advice - the older I get the less I seem to know!
There's nothing wrong in principle with using the option to obtain DNS server addresses automatically. The addresses will be obtained from the ISP (in your case Plusnet) and there will certainly be two of them. I think that the situation you have is that your PC is set up to use the router as its DNS server, so the router is acting as a DNS relay, which again is a perfectly reasonable way of operating, normally. Entering the Plusnet DNS addresses in the router manually would change nothing, because it will already be using those addresses.
I think your easiest option is to reconfigure your PC to use DNS server addresses which you enter manually. You could try the Plusnet DNS server addresses first if you like, and then try replysizetest again. This may be all you need to do. But if replysizetest still indicates a failure, then you would probably be best advised to use a couple of addresses from near the top of the DNS Benchmark results, which will give you better performance anyway.
-
Sorry if I've caused alarm and despondency. For most people there should be no problem
Aw shucks, I was looking forwards to the lights going dark, phone lines going dead, and airoplanes falling out of the sky, just like I looked forwards to in the run-up to Y2K bugs >:D
Seriusly, thanks for the heads up, it's the first I'd heard of it & I will do some checking tonight.
I'll need to think about whether or not to call Mum & Dad and help them to check. I know their PCs configured to use the router as DNS relay, and I don't want to attempt to talk them though changing it. I think I'll just keep quiet til after the event, and then call and make sure they're still OK.
-
I've been doing some testing and get totally conflicting results, sometimes it works and says DNSSEC is not supported and most times it fails completely both manually or using the Java applet. The GRC program purports to test DNSSEC but report no errors. So I am probably just going to wait and see what happens.
Stuart
-
The GRC program purports to test DNSSEC but report no errors.
I think that means that, as far as DNS Benchmark is concerned, your DNS service is good. I gathered from their documentation that, if a server being tested didn't support DNSSEC, then it was likely to choke on the test, and you would have got a message to that effect.
-
Thanks for your response Eric. I will investigate and fiddle a bit more but I am glad to see I am not alone in my confusion. And here was I thinking I was fairly computer literate!
Tony
-
Hi
No apparent problem with DNS Benchmark .
But Replysizetest reports that
Your resolver announced a buffer size bigger than the largest packet that it
can receive This scenario can cause problems for a resolver,
It reports the
The most common causes are firewalls which block DNS packets bigger than 512 bytes, or fragmentation,
which causes a large DNS packet to be broken up into smaller fragments which routers and/or firewalls don't know how to handle.
if your announced buffer size is the default of 4096 bytes, and the measured buffer size is much smaller (say 1400 bytes),
it does :(
We recommend that you configure your network, routers and firewalls to handle larger packets and/or fragments.
? how is this done all double Dutch to me
using Commodo firewall
and DG834 GT router
Regards Jeff
-
Well I decided to try the TalkTalk DNS servers since I'm with them and they come out as EDNS and DNSSEC both supported with announced buffer of 4096 and actual of 3839 which is within the 300 bytes allowed. Surprised me a bit since TT often get a bad press so I was expecting them to fail!
Stuart
-
buffer of 4096 and actual of 3839 which is within the 300 bytes allowed
Those figures are exactly the same as I get with vnsc (4.2.2.3 and 4.2.2.5).
-
Hi
Yesterday when I tested 212.23.3.100 and 212.23.6.100 (ZEN) they both gave
announced buffer 4096 and measured buffer size 1399 both had DNSSEC enabled .
Today
211.23.3.100 shows announced buffer 4096 and measured buffer size 3839 bytes this I understand is OK :)
211.23.6.100 still shows announced buffer 4096 and measured buffer size 1399 bytes but this is not OK :(
It still showing DNSSEC enabled
Regards Jeff
-
I'm afraid I don't understand the details at all, but Zen obviously know what they're doing, and it looks as though they are increasing the buffer size as a result of the testing they've been doing.
-
I have now changed my DNS servers to be the pair that Plusnet offer as their preferred and alternate. It does seem that website loading is faster which is gratifying and at least I haven't broken anything. However if I do another Replysizetest it says DNSSEC is not enabled by these servers and the buffer/packet sizing is still too small. I think I will wait until after 5th. May and see what happens. Plusnet will surely have to get it right by then.
Tony
-
Hi
May 5th fast approaching ::)
Checked today and now Both my dns resolvers are OK :)
Regards Jeff
-
Excellent :)
-
Ours may die but not for that reason.
They are going to move a WW2 bomb past our house to explode it is a safer area than it is at the moment.
We have had police notices about having bags packed ready for evacuation.
-
They are going to move a WW2 bomb past our house to explode it is a safer area than it is at the moment.
What about here...(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww.raisethehammer.org%2Fstatic%2Fimages%2Fbritish_house_of_parliament_sm.jpg&hash=d4e19ae172a3dd88a5bd0b90ed2126044bda04d6)
-
Well its past 5th May and I'm still here......are you ? ;D
-
I've just had a look and yes I'm still here. :crazy:
-
I am still here even though the bomb went bang.