LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-28-2012, 12:18 PM   #1
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Xubuntu, Slackware, Amazon Linux
Posts: 1,903
Blog Entries: 21

Rep: Reputation: 126Reputation: 126
unbound resolving name server incompatible with ftc.gov


It seems that ftc.gov's name server (this is the only name server I've seen the issue with) is not compatible with the resolving name server unbound. They also fail to complete with the dig command in +trace mode. Other agencies I access work fine (like fcc.gov, bls.gov, and ed.gov).
 
Old 02-29-2012, 09:45 AM   #2
lisle2011
Member
 
Registered: Mar 2011
Location: Surrey B.C. Canada (Metro Vancouver)
Distribution: Slackware 2.6.33.4-smp
Posts: 183
Blog Entries: 1

Rep: Reputation: 25
Unbounds reluctance to get server info

I read about unbound - it is also intended to be compiled into software as stub resolver. So are you using software that has unbound linked into software?
 
Old 03-04-2012, 08:29 PM   #3
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Xubuntu, Slackware, Amazon Linux
Posts: 1,903

Original Poster
Blog Entries: 21

Rep: Reputation: 126Reputation: 126
Quote:
Originally Posted by lisle2011 View Post
I read about unbound - it is also intended to be compiled into software as stub resolver. So are you using software that has unbound linked into software?
No. I just installed it as a DNS server listening on port 53 of certain addresses, and put those addresses in /etc/resolv.conf on "nameserver" lines. It works fine everywhere else. I'm wondering if maybe FTC.GOV deployed some extreme level of DNSSEC that isn't working in unbound.
 
Old 03-05-2012, 07:43 AM   #4
lisle2011
Member
 
Registered: Mar 2011
Location: Surrey B.C. Canada (Metro Vancouver)
Distribution: Slackware 2.6.33.4-smp
Posts: 183
Blog Entries: 1

Rep: Reputation: 25
Unbound reluctance to get server info - more

Please visit this page on the specified site:

http://www.ftc.gov/ftc/sitepolicy/index.shtm

Read the following statement on the site carefully:

Quote:
For site security purposes and to ensure that this service remains available to all users, this government computer system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. By using this site, you are agreeing to such security monitoring. If such monitoring reveals evidence of possible abuse or criminal activity, the evidence may be provided to appropriate law enforcement officials. Unauthorized attempts to upload or change information on this service are strictly prohibited and may be punishable by law, including the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act.
It is quite clear that restrictive monitoring is employed. Whatever that may actually mean I take it to mean that they do not wish to have repeated requests from the same ip address or group of ip addresses making request to port 53. It also states clearly that links to their site and specific items in particular are NOT prohibited, however they monitor all activity in this respect and check out the sites that are linking.

Port 53 is notorious for breaches and subsequent compromises and it is more than likely that by repeatedly requesting DNS information directly from their servers you have made yourself suspicious. Just because you have no difficulty doing the same on other .gov sites does not mean you are free to do so on this particular site.

There are many ways to dissuade unwanted guests without resorting to extreme tactics and it would appear you have been thwarted and should you have read their policies would be clear about what it is that keeps you in "good standing" with that particular government agency.

You have never made it clear WHY you need to make these requests and your speculation concerning their methods are somewhat suspicious as linking to their site does not require you make requests to port 53. Your speculations have no merit regarding DNSSEC and you may be wise to satisfy yourself with things as they are. Further incursions to try and establish their security measures could be considered in a criminal context from their perspective.

I am not implying that you are criminal only that persistence will not make great friends with this site.
 
Old 03-05-2012, 04:19 PM   #5
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Xubuntu, Slackware, Amazon Linux
Posts: 1,903

Original Poster
Blog Entries: 21

Rep: Reputation: 126Reputation: 126
I do not think persistence would be an issue. Their site was broken on the very first attempt to access it. I've also verified that the DNS failure happens exactly the same way from other servers running the same software, that had never queried their server before (because it was a new server). Government agencies like BLS, CIA, DoED, FAA, FCC, NOAA, NSA, and Whitehouse.Gov answer just fine. And I would think at least a couple of those agencies would need, and know how to deploy, greater security than FTC (just guessing).

I think it is some software compatibility issue. THEIR server software just doesn't like the way UNBOUND forms the queries. But I am not yet able to determine much about that because their server is the only one I've ever had this kind of trouble with. I access perhaps a couple hundred different websites a day. But I'm 100% sure they are not running an unmodified BIND or NSD as those are fully compatible with UNBOUND. If they need security on an authoritative DNS server, they should run NSD on OpenBSD.

OTOH, it might be nice if I could get all those AD SERVER companies to use that DNS software FTC uses

Last edited by Skaperen; 03-05-2012 at 04:23 PM.
 
Old 03-05-2012, 04:34 PM   #6
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Xubuntu, Slackware, Amazon Linux
Posts: 1,903

Original Poster
Blog Entries: 21

Rep: Reputation: 126Reputation: 126
Quote:
Originally Posted by lisle2011 View Post
Please visit this page on the specified site:

http://www.ftc.gov/ftc/sitepolicy/index.shtm
That's not possible because of the problem with their DNS server.

Quote:
Originally Posted by lisle2011 View Post
You have never made it clear WHY you need to make these requests and your speculation concerning their methods are somewhat suspicious as linking to their site does not require you make requests to port 53. Your speculations have no merit regarding DNSSEC and you may be wise to satisfy yourself with things as they are. Further incursions to try and establish their security measures could be considered in a criminal context from their perspective.
I am NOT linking to their site. I'm trying to VISIT their site. In order to visit their site, a DNS query is required to get the IP address of the site. If the DNS cache does not have the answer, then the DNS cache finds the answer by doing the query recursively to get that answer.

Quote:
Originally Posted by lisle2011 View Post
I am not implying that you are criminal only that persistence will not make great friends with this site.
Is a couple dozen DNS queries really considered persistence?

FYI, unbound is a standalone resolving cache server software. You can run it instead of any of a few other resolvers. I chose it for its lean design, simple configuration, and still leaving me in control. But maybe it has a small isolated obscure bug that affects no other domain but FTC.GOV.
 
Old 03-07-2012, 12:12 PM   #7
lisle2011
Member
 
Registered: Mar 2011
Location: Surrey B.C. Canada (Metro Vancouver)
Distribution: Slackware 2.6.33.4-smp
Posts: 183
Blog Entries: 1

Rep: Reputation: 25
Unbound and U.S. ftc.gov site

You do not need to get an ip address. I gave you the web address, type it in your browser and the site will appear.

Further discussion with you is useless.
 
Old 03-08-2012, 01:47 PM   #8
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Xubuntu, Slackware, Amazon Linux
Posts: 1,903

Original Poster
Blog Entries: 21

Rep: Reputation: 126Reputation: 126
Quote:
Originally Posted by lisle2011 View Post
You do not need to get an ip address. I gave you the web address, type it in your browser and the site will appear.
You are wrong, it does not appear.

Quote:
Originally Posted by lisle2011 View Post
Further discussion with you is useless.
No, YOU are NOT reading what is posted. It DOES NOT WORK to just put the "web address" (host NAME) in the browser. It has already been diagnosed that this FAILS because the FTC.GOV DNS server never sends an answer to my DNS server.

Maybe YOU do not understand the role of DNS in visiting a website?

THIS thread was started to discover WHY this failure is happening. So far it appears to be a classic "corner case" where it is yet to be determined which "wall" is the cause of the problem. Is the "unbound" software broken (by sending slightly "off" queries that most DNS servers will answer anyway, but FTC.GOV is being pedantic about and refusing to answer)? Or is it FTC.GOV's DNS server broken (I have no idea what software they run).

Your "answers" have been completely unhelpful. The only thing I want to know is whether you failed to actually read the thread, or fail to understand how putting a hostname in a browser results in a DNS lookup and so depends on DNS actually working right.

Quote:
Originally Posted by lisle2011 View Post
If I have been of any help give me a pat on the back (add to my reputation)
You won't get much reputation when you don't understand what is going on.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
packaging unbound -- in the works or planned? timetraveler Slackware 4 10-08-2011 10:08 PM
recursive DNS not resolving www.weather.gov, but most others OK. technodweeb Linux - Server 2 02-07-2011 09:57 AM
LXer: Installing And Using The Unbound Name Server On Debian Etch LXer Syndicated Linux News 0 05-29-2008 12:20 PM
Caching DNS server error (lame server resolving) Iggyboo Linux - Networking 1 02-24-2005 03:43 AM
unbound PF_PACKET Peterius Programming 0 11-10-2004 12:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration