broken DNS proxying at public wireless hotspots
Peter Dambier
peter at peter-dambier.de
Sat Feb 3 09:48:18 UTC 2007
I am running djbdns and my own root-server (tinydns) on my laptop.
To axfr the root and some other zones, I use port 3001 (Cesidian
Root). With cloned (not actually slaved) zones I have no
problem at all but others might still get me.
I have seen the Mac can use things like
nameserver 192.168.208.228:3001
in his /etc/resolv.conf, linux cannot. That is why I have not
tried. Anyhow there are not many open resolvers on port 3001.
You can run bind on your laptop (even with windows). I dont
know if you can tell it to use other ports than 53 for the
forwarders - but you have the source. Dig can do it.
In case you need ip-addresses for djbdns, try
ifconfig lo:1 127.0.1.16 netmask 255.255.255.0
ifconfig lo:1 127.0.2.16 netmask 255.255.255.0
Now you have enough ip-addresses to run dnscache, tinydns and
axfrdns on one and the same laptop, even when your ip-address
to the wlan is constantly changeing.
Cheers
Peter and Karin
Suresh Ramasubramanian wrote:
>
> Right now, I'm on a swisscom eurospot wifi connection at Paris
> airport, and this - yet again - has a DNS proxy setup so that the
> first few queries for a host will return some nonsense value like
> 1.2.3.4, or will return the records for com instead. Some 4 or 5
> minutes later, the dns server might actually return the right dns
> record.
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25634
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 11
> ;; QUESTION SECTION:
> ;www.kcircle.com. IN A
> ;; AUTHORITY SECTION:
> com. 172573 IN NS j.gtld-servers.net.
> com. 172573 IN NS k.gtld-servers.net.
>
> [etc]
> ;; Query time: 1032 msec
> ;; SERVER: 192.168.48.1#53(192.168.48.1)
> ;; WHEN: Sat Feb 3 11:33:07 2007
> ;; MSG SIZE rcvd: 433
>
> They're not the first provider I've seen doing this, and the obvious
> workarounds (setting another NS in resolv.conf, or running a local dns
> caching resolver) dont work either as all dns traffic is proxied.
> Sure I could route dns queries out through a ssh tunnel but the
> latency makes this kind of thing unusable at times. I'm then reduced
> to hardwiring some critical work server IPs into /etc/hosts
>
> What do nanogers usually do when caught in a situation like this?
>
> thanks
> srs
>
--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher-Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/
More information about the NANOG
mailing list