Transparent Proxies broken

Karnaugh · May 22, 2004

<blockquote id="quote">quote:<hr height="1" noshade id="quote">Bad Gateway
The following error occurred:

Code:

 The host name was not found during the DNS lookup. Contact your system administrator if the problem is not found by retrying the URL. <hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">

Someone posted about this on the other forum, but this isnt isolated to ADSL.. the whole of bloody SAIX cant browse half the internet atm.

- Colin Alston
colin at alston dot za dot org

"Getting traffic shaping right is easy and can be summed up in one word: Dont." -- George Barnett

neobyte · May 22, 2004

It is not a SAIX problem the DNS in London is down. One of the 13 main ones in the world. Nothing we can really do til it is updated. Just keep refreshing until another DNS will pick you up.

Karnaugh · May 23, 2004

so why arn't the servers cacheing properly and using the other 10 backup DNS servers?

- Colin Alston
colin at alston dot za dot org

"Getting traffic shaping right is easy and can be summed up in one word: Dont." -- George Barnett

neobyte · May 23, 2004

It not just a matter of the other servers picking it up, If one goes down, all the leaf dns servers routed to that one are temporarily disconnected from the rest of the world. This is why the DNS problem was only pertinant to certain domains. Anyway, it was not a server going down, more of a DDos attack. The k.root-server picked up an abnormal amount of traffic this weekend...

Karnaugh · May 23, 2004

<blockquote id="quote">quote:<hr height="1" noshade id="quote">If one goes down, all the leaf dns servers routed to that one are temporarily disconnected from the rest of the world.<hr height="1" noshade id="quote"></blockquote id="quote">

Thats not quite how DNS works.

- Colin Alston
colin at alston dot za dot org

"Getting traffic shaping right is easy and can be summed up in one word: Dont." -- George Barnett

neobyte · May 23, 2004

Yes it is. You want to browse the net your pc contacts your isp's dns server. If that does not have any details about the domain name to ip it will then pass it up to the next level DNS server until eventually a root server is reached. Now, the root server should ad least have enough information to pass you onto another DNS server or even perhaps return the required IP. However, if one of your countries main routed root servers goes down, i.e. the London one or the Stokholm one for us a lot of our european sites will be unable to be resolved unless their domain names are cached locally or an alternate DNS server is used. This is the problem we had over this weekend. It takes time for some of the DNS servers of depth 1 to adjust their resolv tables.

Karnaugh · May 23, 2004

No, fortunatly not.

Your PC contacts your ISP's DNS server (or whatever cacheing DNS server its configured to contact). it then passes it up (generaly straight to the GTLD servers) which point you to the authoritative NS for the domain.

Taking a non-lame DNS server as an example
<blockquote id="quote">quote:<hr height="1" noshade id="quote">
Tracing to foobar.net via ns1.iactive.co.za, timeout 15 seconds
ns1.iactive.co.za (196.25.185.195)
|\___ K.GTLD-SERVERS.net [net] (192.52.178.30)
| |\___ ns2.afternic.com [foobar.net] (65.77.213.184) Got authoritative answer
| \___ ns1.afternic.com [foobar.net] (65.77.213.181) Got authoritative answer
|\___ J.GTLD-SERVERS.net [net] (192.48.79.30)
| |\___ ns2.afternic.com [foobar.net] (65.77.213.184) (cached)
| \___ ns1.afternic.com [foobar.net] (65.77.213.181) (cached)
|\___ I.GTLD-SERVERS.net [net] (192.43.172.30)
| |\___ ns2.afternic.com [foobar.net] (65.77.213.184) (cached)
| \___ ns1.afternic.com [foobar.net] (65.77.213.181) (cached)
|\___ H.GTLD-SERVERS.net [net] (192.54.112.30)
| |\___ ns2.afternic.com [foobar.net] (65.77.213.184) (cached)
| \___ ns1.afternic.com [foobar.net] (65.77.213.181) (cached)
|\___ G.GTLD-SERVERS.net [net] (192.42.93.30)
| |\___ ns2.afternic.com [foobar.net] (65.77.213.184) (cached)
| \___ ns1.afternic.com [foobar.net] (65.77.213.181) (cached)
|\___ F.GTLD-SERVERS.net [net] (192.35.51.30)
| |\___ ns2.afternic.com [foobar.net] (65.77.213.184) (cached)
| \___ ns1.afternic.com [foobar.net] (65.77.213.181) (cached)
|\___ E.GTLD-SERVERS.net [net] (192.12.94.30)
| |\___ ns2.afternic.com [foobar.net] (65.77.213.184) (cached)
| \___ ns1.afternic.com [foobar.net] (65.77.213.181) (cached)
|\___ D.GTLD-SERVERS.net [net] (192.31.80.30)
| |\___ ns2.afternic.com [foobar.net] (65.77.213.184) (cached)
| \___ ns1.afternic.com [foobar.net] (65.77.213.181) (cached)
|\___ C.GTLD-SERVERS.net [net] (192.26.92.30)
| |\___ ns2.afternic.com [foobar.net] (65.77.213.184) (cached)
| \___ ns1.afternic.com [foobar.net] (65.77.213.181) (cached)
|\___ B.GTLD-SERVERS.net [net] (192.33.14.30)
| |\___ ns2.afternic.com [foobar.net] (65.77.213.184) (cached)
| \___ ns1.afternic.com [foobar.net] (65.77.213.181) (cached)
|\___ A.GTLD-SERVERS.net [net] (192.5.6.30)
| |\___ ns2.afternic.com [foobar.net] (65.77.213.184) (cached)
| \___ ns1.afternic.com [foobar.net] (65.77.213.181) (cached)
|\___ M.GTLD-SERVERS.net [net] (192.55.83.30)
| |\___ ns2.afternic.com [foobar.net] (65.77.213.184) (cached)
| \___ ns1.afternic.com [foobar.net] (65.77.213.181) (cached)
\___ L.GTLD-SERVERS.net [net] (192.41.162.30)
|\___ ns2.afternic.com [foobar.net] (65.77.213.184) (cached)
\___ ns1.afternic.com [foobar.net] (65.77.213.181) (cached)
<hr height="1" noshade id="quote"></blockquote id="quote">

as you can see it cascades *all* the worlds DNS servers.

If i use my on non-lame server and firewall off one of the root servers (M first cause thats the order mine chooses)

<blockquote id="quote">quote:<hr height="1" noshade id="quote">
Tracing to foobar.net via 192.168.153.1, timeout 15 seconds
192.168.153.1 (192.168.153.1)
|\___ m.gtld-servers.net [net] (192.55.83.30) * * *
|\___ e.gtld-servers.net [net] (192.12.94.30)
| |\___ ns2.afternic.com [foobar.net] (65.77.213.184) Got authoritative answer
| \___ ns1.afternic.com [foobar.net] (65.77.213.181) Got authoritative answer
<hr height="1" noshade id="quote"></blockquote id="quote">

it moves onto the next root server.

The fact of the matter is the transproxy should be configured properly to cope with such a situation (If my machine knew the IP to connect to the server then howcome SAIX's didnt? If the domain did infact not exist my machine would never have been routed to the transparent proxy). Root domain and GTLD's are never hosted in only one place, thats the entire point of the distributed root servers.

- Colin Alston
colin at alston dot za dot org

"Getting traffic shaping right is easy and can be summed up in one word: Dont." -- George Barnett

mithrandi · May 23, 2004

<blockquote id="quote">quote:<hr height="1" noshade id="quote">Yes it is. You want to browse the net your pc contacts your isp's dns server. If that does not have any details about the domain name to ip it will then pass it up to the next level DNS server until eventually a root server is reached.<hr height="1" noshade id="quote"></blockquote id="quote">
No, no, and no. Your ISP's caching DNS resolver starts at the root servers.

<blockquote id="quote">quote:<hr height="1" noshade id="quote">Now, the root server should ad least have enough information to pass you onto another DNS server or even perhaps return the required IP. However, if one of your countries main routed root servers goes down, i.e. the London one or the Stokholm one for us a lot of our european sites will be unable to be resolved unless their domain names are cached locally or an alternate DNS server is used.<hr height="1" noshade id="quote"></blockquote id="quote">
Wrong too. The geographic location of the root server has absolutely nothing whatsoever to do with whether it is queried or not. Sane resolvers contact the authoritative servers for a domain in random order, while insane resolvers (like bind) have some other retarded algorithm they use; regardless, if querying one authoritative server fails.

<blockquote id="quote">quote:<hr height="1" noshade id="quote">This is the problem we had over this weekend. It takes time for some of the DNS servers of depth 1 to adjust their resolv tables.<hr height="1" noshade id="quote"></blockquote id="quote">
There is nothing to adjust.

<hr noshade size="1">mithrandi, i Ainil en-Balandor, a faer Ambar

podo · May 23, 2004

The problem, as has been correctly pointed out by both Karnaugh and mithrandi, is that Telkom's DNS servers are not correctly set up.

They are probably lame servers just forwarding off something else, to save Telkom the possible one or two megabytes extra per day that they would need to send over SAT3 to query the root servers propertly.

Since the transparent proxies will always use Telkom's DNS servers, if Telkom break their DNS servers, they break their proxies, and we can't do anything about it.

If they had this set up right, their DNS would just fail over to another root server, and there would be no problem.

Willie Viljoen
Web Developer

Adaptive Web Development

mbs · May 23, 2004

Which brings us to the point - somebody at Telkom/SAIX needs to be severely reprimanded at the very least, if not fired for incompetency. This is simply unacceptable, and more than justifies appropriate disciplinary action. The embarrasment extends to issues of national standing - if Telkom/SAIX cannot be relied upon for something as simple as this, what the devil gives us the comfort of knowing that we would be able to cope with telecoms issues into Africa (a la NEPAD), let alone the rest of the world? If any Telkom/SAIX employee happens to read this thread, you would be more than justified in ensuring this is seen, referenced and actioned by your senior management...

Transparent Proxies broken

Karnaugh

Banned

neobyte

Well-Known Member

Karnaugh

Banned

neobyte

Well-Known Member

Karnaugh

Banned

neobyte

Well-Known Member

Karnaugh

Banned

mithrandi

Well-Known Member

podo

Well-Known Member

mbs

Expert Member