doctorquack Posted October 25, 2012 Share Posted October 25, 2012 Level 3's DNS resolvers that we have been assigned, 4.2.2.1, 4.2.2.2, ... have started to return no answers for any DNS records that contain RFC1918 (Private Address Ranges) in their data. This effectively blocks out all Spamcop Queries and lets the spam right in. Here's a particular spam that caught my attention: ** Queried to Google's DNS servers ** [10/25_14:57 root[at]idns1 etc]# dig 149.87.247.63.bl.spamcop.net [at]8.8.8.8 ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> 149.87.247.63.bl.spamcop.net [at]8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1958 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;149.87.247.63.bl.spamcop.net. IN A ;; ANSWER SECTION: 149.87.247.63.bl.spamcop.net. 2100 IN A 127.0.0.2 ;; Query time: 75 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Oct 25 14:57:58 2012 ;; MSG SIZE rcvd: 62 ** Queried to Level 3's DNS servers ** [10/25_14:56 root[at]idns1 etc]# dig 149.87.247.63.bl.spamcop.net [at]4.2.2.1 ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> 149.87.247.63.bl.spamcop.net [at]4.2.2.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6433 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;149.87.247.63.bl.spamcop.net. IN A ;; Query time: 75 msec ;; SERVER: 4.2.2.1#53(4.2.2.1) ;; WHEN: Thu Oct 25 14:57:01 2012 ;; MSG SIZE rcvd: 46 This is not just happening with Spamcop, but with any domain name that has any RFC1918 address as a record. The RFC1918 address-laden records will return no answer, yet records containing publicly routeable addresses on the same exact domain will work fine. I have opened a ticket with my provider who will hopefully open a ticket with Level 3 about this, but if anyone else is experiencing the same issue, hopefully this'll help provide more information. --Chuck Link to comment Share on other sites More sharing options...
Farelf Posted October 26, 2012 Share Posted October 26, 2012 OK now Chuck? (querying on 111.224.250.131 which can reliably be found in almost any DNSBL at the moment, 63.247.87.149 has now timed off the SCbl) C:\Documents and Settings\Admin>nslookup 131.250.224.111.bl.spamcop.net 4.2.2.2 Server: b.resolvers.Level3.net Address: 4.2.2.2 Non-authoritative answer: Name: 131.250.224.111.bl.spamcop.net Address: 127.0.0.2 C:\Documents and Settings\Admin>nslookup 149.87.247.63.bl.spamcop.net 4.2.2.2 Server: b.resolvers.Level3.net Address: 4.2.2.2 *** b.resolvers.Level3.net can't find 149.87.247.63.bl.spamcop.net: Non-existent domain Steve Link to comment Share on other sites More sharing options...
doctorquack Posted October 26, 2012 Author Share Posted October 26, 2012 My provider was able to contact Level 3 and get their ticket number on the issue. They're using Anycast and it's apparently only affecting the Chicago and Atlanta US regions in various degrees of capacity. I am still experiencing the issue with Level 3, but I've updated our DNS servers to forward to a different set of name servers to avoid the problem. Thanks for checking into this! Cheers, Chuck Link to comment Share on other sites More sharing options...
Farelf Posted October 26, 2012 Share Posted October 26, 2012 Thanks Chuck. Will leave this open (rather than "Resolved") until we hear the problem with Level 3-Anycast has been fixed. Steve Link to comment Share on other sites More sharing options...
dluther Posted November 4, 2012 Share Posted November 4, 2012 Hello, Level3 DNS servers are responding with RFC1918 data. Oddly enough the example you used above no longer works: > dig 149.87.247.63.bl.spamcop.net [at]8.8.8.8 ; <<>> DiG 9.2.4 <<>> 149.87.247.63.bl.spamcop.net [at]8.8.8.8 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 278 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;149.87.247.63.bl.spamcop.net. IN A ;; AUTHORITY SECTION: bl.spamcop.net. 0 IN SOA bl.spamcop.net. hostmaster.admin.spamcop.net. 1352048632 3600 1800 3600 0 ;; Query time: 34 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Nov 4 17:06:43 2012 ;; MSG SIZE rcvd: 99 Finding a valid spammer address in SCBL, 217.71.248.129 spamcop.net checkblock for 217.71.248.129 the correct DNS query is 129.248.71.217.bl.spamcop.net, which is returned: > dig 129.248.71.217.bl.spamcop.net [at]4.2.2.2 ; <<>> DiG 9.2.4 <<>> 129.248.71.217.bl.spamcop.net [at]4.2.2.2 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2023 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;129.248.71.217.bl.spamcop.net. IN A ;; ANSWER SECTION: 129.248.71.217.bl.spamcop.net. 2100 IN A 127.0.0.2 ;; Query time: 49 msec ;; SERVER: 4.2.2.2#53(4.2.2.2) ;; WHEN: Sun Nov 4 17:11:45 2012 ;; MSG SIZE rcvd: 63 ... as it is with Google's DNS servers: > dig 129.248.71.217.bl.spamcop.net [at]8.8.8.8 ; <<>> DiG 9.2.4 <<>> 129.248.71.217.bl.spamcop.net [at]8.8.8.8 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2045 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;129.248.71.217.bl.spamcop.net. IN A ;; ANSWER SECTION: 129.248.71.217.bl.spamcop.net. 1032 IN A 127.0.0.2 ;; Query time: 25 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Nov 4 17:12:23 2012 ;; MSG SIZE rcvd: 63 In any event, all the anycast addresses at Level3 are returning RFC1918 addresses. Link to comment Share on other sites More sharing options...
Farelf Posted November 5, 2012 Share Posted November 5, 2012 Thanks Dan. Chuck said this was a regional thing: ... They're using Anycast and it's apparently only affecting the Chicago and Atlanta US regions in various degrees of capacity. I am still experiencing the issue with Level 3, but I've updated our DNS servers to forward to a different set of name servers to avoid the problem. ... - understand now working in those (and presumably all) regions, assuming your lookup made from Atlanta. Marking this "Resolved". Steve Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.