Jump to content

[Resolved] Level 3 DNS Resolvers Blocking RFC1918 Addresses


doctorquack
 Share

Recommended Posts

Level 3's DNS resolvers that we have been assigned, 4.2.2.1, 4.2.2.2, ... have started to return no answers for any DNS records that contain RFC1918 (Private Address Ranges) in their data.

This effectively blocks out all Spamcop Queries and lets the spam right in.

Here's a particular spam that caught my attention:

** Queried to Google's DNS servers **

[10/25_14:57 root[at]idns1 etc]# dig 149.87.247.63.bl.spamcop.net [at]8.8.8.8

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> 149.87.247.63.bl.spamcop.net [at]8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1958
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;149.87.247.63.bl.spamcop.net.  IN	  A

;; ANSWER SECTION:
149.87.247.63.bl.spamcop.net. 2100 IN   A	   127.0.0.2

;; Query time: 75 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 25 14:57:58 2012
;; MSG SIZE  rcvd: 62

** Queried to Level 3's DNS servers **

[10/25_14:56 root[at]idns1 etc]# dig 149.87.247.63.bl.spamcop.net [at]4.2.2.1

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> 149.87.247.63.bl.spamcop.net [at]4.2.2.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6433
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;149.87.247.63.bl.spamcop.net.  IN	  A

;; Query time: 75 msec
;; SERVER: 4.2.2.1#53(4.2.2.1)
;; WHEN: Thu Oct 25 14:57:01 2012
;; MSG SIZE  rcvd: 46

This is not just happening with Spamcop, but with any domain name that has any RFC1918 address as a record. The RFC1918 address-laden records will return no answer, yet records containing publicly routeable addresses on the same exact domain will work fine.

I have opened a ticket with my provider who will hopefully open a ticket with Level 3 about this, but if anyone else is experiencing the same issue, hopefully this'll help provide more information.

--Chuck

Link to comment
Share on other sites

OK now Chuck?

(querying on 111.224.250.131 which can reliably be found in almost any DNSBL at the moment, 63.247.87.149 has now timed off the SCbl)

C:\Documents and Settings\Admin>nslookup 131.250.224.111.bl.spamcop.net 4.2.2.2
Server:  b.resolvers.Level3.net
Address:  4.2.2.2

Non-authoritative answer:
Name:	131.250.224.111.bl.spamcop.net
Address:  127.0.0.2

C:\Documents and Settings\Admin>nslookup 149.87.247.63.bl.spamcop.net 4.2.2.2
Server:  b.resolvers.Level3.net
Address:  4.2.2.2

*** b.resolvers.Level3.net can't find 149.87.247.63.bl.spamcop.net: Non-existent domain

Steve

Link to comment
Share on other sites

My provider was able to contact Level 3 and get their ticket number on the issue.

They're using Anycast and it's apparently only affecting the Chicago and Atlanta US regions in various degrees of capacity.

I am still experiencing the issue with Level 3, but I've updated our DNS servers to forward to a different set of name servers to avoid the problem.

Thanks for checking into this!

Cheers,

Chuck

Link to comment
Share on other sites

  • 2 weeks later...

Hello,

Level3 DNS servers are responding with RFC1918 data. Oddly enough the example you used above no longer works:

> dig 149.87.247.63.bl.spamcop.net [at]8.8.8.8	

; <<>> DiG 9.2.4 <<>> 149.87.247.63.bl.spamcop.net [at]8.8.8.8
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 278
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;149.87.247.63.bl.spamcop.net.  IN	  A

;; AUTHORITY SECTION:
bl.spamcop.net.		 0	   IN	  SOA	 bl.spamcop.net. hostmaster.admin.spamcop.net. 1352048632 3600 1800 3600 0

;; Query time: 34 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Nov  4 17:06:43 2012
;; MSG SIZE  rcvd: 99

Finding a valid spammer address in SCBL, 217.71.248.129 spamcop.net checkblock for 217.71.248.129 the correct DNS query is 129.248.71.217.bl.spamcop.net, which is returned:

> dig 129.248.71.217.bl.spamcop.net [at]4.2.2.2 

; <<>> DiG 9.2.4 <<>> 129.248.71.217.bl.spamcop.net [at]4.2.2.2
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2023
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;129.248.71.217.bl.spamcop.net. IN	  A

;; ANSWER SECTION:
129.248.71.217.bl.spamcop.net. 2100 IN  A	   127.0.0.2

;; Query time: 49 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Sun Nov  4 17:11:45 2012
;; MSG SIZE  rcvd: 63

... as it is with Google's DNS servers:

> dig 129.248.71.217.bl.spamcop.net [at]8.8.8.8

; <<>> DiG 9.2.4 <<>> 129.248.71.217.bl.spamcop.net [at]8.8.8.8
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2045
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;129.248.71.217.bl.spamcop.net. IN	  A

;; ANSWER SECTION:
129.248.71.217.bl.spamcop.net. 1032 IN  A	   127.0.0.2

;; Query time: 25 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Nov  4 17:12:23 2012
;; MSG SIZE  rcvd: 63

In any event, all the anycast addresses at Level3 are returning RFC1918 addresses.

Link to comment
Share on other sites

Thanks Dan. Chuck said this was a regional thing:

... They're using Anycast and it's apparently only affecting the Chicago and Atlanta US regions in various degrees of capacity.

I am still experiencing the issue with Level 3, but I've updated our DNS servers to forward to a different set of name servers to avoid the problem. ...

- understand now working in those (and presumably all) regions, assuming your lookup made from Atlanta. Marking this "Resolved".

Steve

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...