Hi. I'm jon.404, a Unix/Linux/Database/Openstack/Kubernetes Administrator, AWS/GCP/Azure Engineer, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: *nix.
To dish or not to dish...
I've been bashing Comcast a lot lately, but today an even stranger "let's piss Jonathon off" event took place. See, we use Comcast for internet service only. I'd like to be in a position to go with fiber, but until we buy that dream house up on the hill, I'll have to settle (to be completely honest, Comcast isn't all *that* bad as I have written them up to be). I've configured a bunch of "obfuscating" services, such as tor, dnscrypt, etc... so Comcast knows as little as possible about our setup, but today that all came crashing down because of...Dish Network (our TV provider).
How could Dish Network affect my Comcast services, you ask? Read on!
I run a dnscrypt server that I route all traffic to (save .onion, of course). This single dnscrypt server works fantastically well. It has very low latency and is running on OpenBSD. In short, I'm quite fond of it.
Apparently Dish Network doesn't share that enthusiasm, but I'll get to that in a moment.
The problem reared its ugly head by failed dns queries. Chrome kept complaining that it couldn't resolve whatever address I was trying to go to. It's odd, I think, so I login to the firewall and test the config:
dig +short @127.0.0.1 -p 53 www.google.com # unbound...this fails
dig +short @127.0.0.1 -p 40 www.google.com # dnscrypt-proxy...this, oddly, is quite successful
Hrmmm. Restart unbound, and yay! it works again!
A bit later, chrome complains again that dns is failing. Login to the firewall and test...same results. Unbound is acting really strange. I restart it, and all is well again.
The next time it happens, I run "tcpdump -Xvvvnei lo0 host 127.0.0.1 port 40" and watch. I see a few odds and ends pass through, then I see a flurry of queries from our hopper and joeys. They're trying to resolve 'www.dishaccess.tv', and dnscrypt sends a SERVFAIL. Unbound goes "whelp, this path is failing!" and starts returning SERVFAIL for everything. Doh!
Hrmmmm...this has me wondering why the dnscrypt server is having an issue. Login to the server and run a few queries.
dig +short @127.0.0.1 www.dishaccess.tv # unbound...this fails here, too
dig +short @8.8.8.8 www.dishaccess.tv # google's resolver works...hrmmmm
dig @8.8.8.8 -t SOA www.dishaccess.tv # google...works
dig @8.8.8.8 -t NS www.dishaccess.tv # google...works
dig @66.170.250.100 www.dishaccess.tv # ns-01.dish.com, as returned by google
no servers could be reached.
Seriously? Dish Network is **blocking** my resolver? What point could that possibly serve? I ended up stubbing dish addresses off to google's resolver, and all is back to normal now.
Your move, dish.
How could Dish Network affect my Comcast services, you ask? Read on!
I run a dnscrypt server that I route all traffic to (save .onion, of course). This single dnscrypt server works fantastically well. It has very low latency and is running on OpenBSD. In short, I'm quite fond of it.
Apparently Dish Network doesn't share that enthusiasm, but I'll get to that in a moment.
The problem reared its ugly head by failed dns queries. Chrome kept complaining that it couldn't resolve whatever address I was trying to go to. It's odd, I think, so I login to the firewall and test the config:
dig +short @127.0.0.1 -p 53 www.google.com # unbound...this fails
dig +short @127.0.0.1 -p 40 www.google.com # dnscrypt-proxy...this, oddly, is quite successful
Hrmmm. Restart unbound, and yay! it works again!
A bit later, chrome complains again that dns is failing. Login to the firewall and test...same results. Unbound is acting really strange. I restart it, and all is well again.
The next time it happens, I run "tcpdump -Xvvvnei lo0 host 127.0.0.1 port 40" and watch. I see a few odds and ends pass through, then I see a flurry of queries from our hopper and joeys. They're trying to resolve 'www.dishaccess.tv', and dnscrypt sends a SERVFAIL. Unbound goes "whelp, this path is failing!" and starts returning SERVFAIL for everything. Doh!
Hrmmmm...this has me wondering why the dnscrypt server is having an issue. Login to the server and run a few queries.
dig +short @127.0.0.1 www.dishaccess.tv # unbound...this fails here, too
dig +short @8.8.8.8 www.dishaccess.tv # google's resolver works...hrmmmm
dig @8.8.8.8 -t SOA www.dishaccess.tv # google...works
dig @8.8.8.8 -t NS www.dishaccess.tv # google...works
dig @66.170.250.100 www.dishaccess.tv # ns-01.dish.com, as returned by google
no servers could be reached.
Seriously? Dish Network is **blocking** my resolver? What point could that possibly serve? I ended up stubbing dish addresses off to google's resolver, and all is back to normal now.
Your move, dish.
Total Comments 0
