FULL DISCLOSURE: this is an end-user issue, but one that might have some operational relevance, particularly if anyone from Cloudflare DNS is on the list EXECUTIVE SUMMARY: twice in six weeks Cloudflare DNS on my new Netgear Orbi cable modem/mesh WiFi hotspot has completely lost track of one (and only one that I know of) prominent US domain: usbank dot com Internet provider: Comcast/Xfinity "Extreme Pro+" Dynamic IP address via Comcast that hasn't changed in six-seven years New Netgear Orbi cable modem, configured with DNS through Cloudflare (1.1.1.1 and 1.0.0.1) Again, twice in 6 weeks Cloudflare DNS seems to loose complete track of usbank dot com as a domain Symptoms: Firefox on Ubuntu Linux returns that little puzzled dinosaur cartoon thing and "We can't seem to find this website right now" BUT ALSO: Each one of ping, traceroute, dig and host returns Host usbank . com not found: 2(SERVFAIL) or some variant thereof Everything else works "just fine" as the saying goes And the Cloudflare DNS drop lasted for days the first time around I can switch over to Google DNS (8.8.8.8 and 8.4.4.8) in the Orbi and immediately fix the problem So. Seems odd that Cloudflare DNS would apparently loose complete track of a major US domain name like usbank dot com Or am I missing something? - John -- John Sage FinchHaven Digital Photography Email: jsage@finchhaven.com Web: https://finchhaven.smugmug.com/ Old web: http://www.finchhaven.com/
Again, twice in 6 weeks Cloudflare DNS seems to loose complete track of usbank dot com as a domain.
All the name servers for that domain are placed in that same domain. That in itself perhaps isn't a problem. However, they also all have IPv4 addresses (no IPv6 in sight) in the same /16 which is routed as a single entity in the global routing table. Thus, if that network should fall off the net from Cloudflare's (or any other recursive resolver operator's) perspective for some reason or other, the names in that domain will all be unresolveable, and a recursive resolver which is unable to reach any of the publishing name servers will return SERVFAIL. Regards, - Håvard
On Fri, 29 May 2020, John Sage wrote:
Each one of ping, traceroute, dig and host returns
Host usbank . com not found: 2(SERVFAIL)
Could be a DNSSEC issue. When it happens check <http://dnsviz.net/> or <https://dnssec-debugger.verisignlabs.com/> to see if that's the case. -- Mark Milhollan +1-805-901-4009
When you're not paying for service, you're not the customer, you're the product. I don't understand why anyone, especially anyone frequenting NANOG, would use Cloudflare for their DNS. Cloudflare runs a racket business, and their whole business model depends on them being a monopoly; plus people buying into the vapourware that they offer. When have monopolies been good for any industry? There's plenty of evidence of Cloudflare 1.1.1.1 not working correctly; I'm sure one of their employees (or the CTO!) will show up shortly to say otherwise! C. On Fri, 29 May 2020 at 12:31, John Sage <jsage@finchhaven.com> wrote:
FULL DISCLOSURE: this is an end-user issue, but one that might have some operational relevance, particularly if anyone from Cloudflare DNS is on the list
EXECUTIVE SUMMARY: twice in six weeks Cloudflare DNS on my new Netgear Orbi cable modem/mesh WiFi hotspot has completely lost track of one (and only one that I know of) prominent US domain: usbank dot com
Internet provider: Comcast/Xfinity "Extreme Pro+"
Dynamic IP address via Comcast that hasn't changed in six-seven years
New Netgear Orbi cable modem, configured with DNS through Cloudflare (1.1.1.1 and 1.0.0.1)
Again, twice in 6 weeks Cloudflare DNS seems to loose complete track of usbank dot com as a domain
Symptoms: Firefox on Ubuntu Linux returns that little puzzled dinosaur cartoon thing and "We can't seem to find this website right now"
BUT ALSO:
Each one of ping, traceroute, dig and host returns
Host usbank . com not found: 2(SERVFAIL)
or some variant thereof
Everything else works "just fine" as the saying goes
And the Cloudflare DNS drop lasted for days the first time around
I can switch over to Google DNS (8.8.8.8 and 8.4.4.8) in the Orbi and immediately fix the problem
So. Seems odd that Cloudflare DNS would apparently loose complete track of a major US domain name like usbank dot com
Or am I missing something?
- John -- John Sage FinchHaven Digital Photography Email: jsage@finchhaven.com Web: https://finchhaven.smugmug.com/ Old web: http://www.finchhaven.com/
[This post may portray opinions as facts, click to see the post] On Sat, 30 May 2020 at 21:55, Constantine A. Murenin <mureninc@gmail.com> wrote:
When you're not paying for service, you're not the customer, you're the product.
I don't understand why anyone, especially anyone frequenting NANOG, would use Cloudflare for their DNS.
Cloudflare runs a racket business, and their whole business model depends on them being a monopoly; plus people buying into the vapourware that they offer. When have monopolies been good for any industry? There's plenty of evidence of Cloudflare 1.1.1.1 not working correctly; I'm sure one of their employees (or the CTO!) will show up shortly to say otherwise!
C.
On Fri, 29 May 2020 at 12:31, John Sage <jsage@finchhaven.com> wrote:
FULL DISCLOSURE: this is an end-user issue, but one that might have some operational relevance, particularly if anyone from Cloudflare DNS is on the list
EXECUTIVE SUMMARY: twice in six weeks Cloudflare DNS on my new Netgear Orbi cable modem/mesh WiFi hotspot has completely lost track of one (and only one that I know of) prominent US domain: usbank dot com
Internet provider: Comcast/Xfinity "Extreme Pro+"
Dynamic IP address via Comcast that hasn't changed in six-seven years
New Netgear Orbi cable modem, configured with DNS through Cloudflare (1.1.1.1 and 1.0.0.1)
Again, twice in 6 weeks Cloudflare DNS seems to loose complete track of usbank dot com as a domain
Symptoms: Firefox on Ubuntu Linux returns that little puzzled dinosaur cartoon thing and "We can't seem to find this website right now"
BUT ALSO:
Each one of ping, traceroute, dig and host returns
Host usbank . com not found: 2(SERVFAIL)
or some variant thereof
Everything else works "just fine" as the saying goes
And the Cloudflare DNS drop lasted for days the first time around
I can switch over to Google DNS (8.8.8.8 and 8.4.4.8) in the Orbi and immediately fix the problem
So. Seems odd that Cloudflare DNS would apparently loose complete track of a major US domain name like usbank dot com
Or am I missing something?
- John -- John Sage FinchHaven Digital Photography Email: jsage@finchhaven.com Web: https://finchhaven.smugmug.com/ Old web: http://www.finchhaven.com/
-- ++ytti
On 5/30/20 11:58 AM, Saku Ytti wrote:
[This post may portray opinions as facts, click to see the post]
On Sat, 30 May 2020 at 21:55, Constantine A. Murenin <mureninc@gmail.com> wrote:
When you're not paying for service, you're not the customer, you're the product.
I don't understand why anyone, especially anyone frequenting NANOG, would use Cloudflare for their DNS.
[promised myself I wouldn't get pulled off into any smoldering flamewars]
[oh well. fools rush in &c &c &c] Actually I used to run a caching-only nameserver using bind, as well as my own email server using sendmail, behind an ipchains/iptables firewall on a Linux box that was also running snort. This would have been about (counts fingers; toes) maybe 1998-99. So I have done this for myself, thank-you-very-much. Times are a little more complicated now and I've come to want my own personal life to be a little simpler, again, thank-you-very-much. Then (or finally) not to be pedantic, but I did open with:
FULL DISCLOSURE: this is an end-user issue, but one that might have some operational relevance, particularly if anyone from Cloudflare DNS is on the list
"End-user" No one should say they weren't warned. #EOF - John -- John Sage FinchHaven Digital Photography Box 2541, Vashon, WA 98070 Email: jsage@finchhaven.com Web: https://finchhaven.smugmug.com/ Old web: http://www.finchhaven.com/ Cell: 206.595.3604
Hey Constantine, John came in with a technical issue. If you have nothing worthy to say about it specifically, it's best to keep quiet. Thanks! Ryan On May 30 2020, at 11:52 am, Constantine A. Murenin <mureninc@gmail.com> wrote:
When you're not paying for service, you're not the customer, you're the product.
I don't understand why anyone, especially anyone frequenting NANOG, would use Cloudflare for their DNS.
Cloudflare runs a racket business, and their whole business model depends on them being a monopoly; plus people buying into the vapourware that they offer. When have monopolies been good for any industry? There's plenty of evidence of Cloudflare 1.1.1.1 not working correctly; I'm sure one of their employees (or the CTO!) will show up shortly to say otherwise!
C. On Fri, 29 May 2020 at 12:31, John Sage <jsage@finchhaven.com (mailto:jsage@finchhaven.com)> wrote:
FULL DISCLOSURE: this is an end-user issue, but one that might have some operational relevance, particularly if anyone from Cloudflare DNS is on the list
EXECUTIVE SUMMARY: twice in six weeks Cloudflare DNS on my new Netgear Orbi cable modem/mesh WiFi hotspot has completely lost track of one (and only one that I know of) prominent US domain: usbank dot com
Internet provider: Comcast/Xfinity "Extreme Pro+" Dynamic IP address via Comcast that hasn't changed in six-seven years New Netgear Orbi cable modem, configured with DNS through Cloudflare (1.1.1.1 and 1.0.0.1)
Again, twice in 6 weeks Cloudflare DNS seems to loose complete track of usbank dot com as a domain
Symptoms: Firefox on Ubuntu Linux returns that little puzzled dinosaur cartoon thing and "We can't seem to find this website right now"
BUT ALSO: Each one of ping, traceroute, dig and host returns Host usbank . com not found: 2(SERVFAIL) or some variant thereof Everything else works "just fine" as the saying goes And the Cloudflare DNS drop lasted for days the first time around I can switch over to Google DNS (8.8.8.8 and 8.4.4.8) in the Orbi and immediately fix the problem
So. Seems odd that Cloudflare DNS would apparently loose complete track of a major US domain name like usbank dot com
Or am I missing something?
- John -- John Sage FinchHaven Digital Photography Email: jsage@finchhaven.com (mailto:jsage@finchhaven.com) Web: https://finchhaven.smugmug.com/ Old web: http://www.finchhaven.com/
On Sat, May 30, 2020 at 01:52:58PM -0500, Constantine A. Murenin wrote:
When you're not paying for service, you're not the customer, you're the product.
A pleasantly misleading statement. Most easily observed in that there are many cases where there is multiple monetization. You may be your broadband provider's customer, but it's likely they're still selling you in other ways. On the flip side, some of us provide free services with no ulterior motive. Go figure.
I don't understand why anyone, especially anyone frequenting NANOG, would use Cloudflare for their DNS.
The early '90's called and said you're missing (don't worry, they said it about me too). :-) ;-) The Internet didn't evolve in the way its designers expected. Early mistakes and errors required terrible remediation. As an example, look at the difficulty involved in running a service like e-mail or DNS. E-mail requires all sorts of things to interoperate well, including SPF, DKIM, SSL, DNSBL's, etc., etc., and it is a complicated service to run self-hosted. DNS is only somewhat better, with the complexity of DNSSEC and other recent developments making for more difficulties in maintaining self-hosted services. Some people want basic services that "just work" without having to put any effort into them. That isn't limited to non-technical users. Outsourcing stuff like DNS is just a continuation of the trend of sending your workloads onto someone else's cloud. It seems easy -- right up until it isn't working the way you want it to. But for most people, even those frequenting NANOG, maybe they just don't want to go set up their own recursion nameservice. I'm not saying I agree with that strategy, but at least it's understandable. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
Outsourcing stuff like DNS is just a continuation of the trend of sending your workloads onto someone else's cloud. It seems easy -- right up until it isn't working the way you want it to.
Outsourcing DNS recursion isn't a good trade-off IMHO, but outsourcing threat blocking via DNS is. So, my preferred recursive DNS setup is: - Caching recursive server on ISP's premises - Unbound or Knot Resolver based - Root zone authoritatives to increase both privacy and performance - Recursion done only for CDN zones (1e100.net, akadns.net etc.) in order to get the best CDN performance for the access customers - Forwarding of all non-CDN traffic to security-focused DNS recursives link Umbrella, Cloudflare, Norton, Quad-9 etc. - IGP-based anycast This is also flexible enough to deal with DNSSEC signature expiration, AA missing on authoritative responses etc., either by configuration on the recursives themselves or by forwarding specific domains to specific outside recursives. Maintaining it requires work, it's not a plug and forget solution; but it provides a good balance of performance, security and operational flexibility. Rubens
The Internet didn't evolve in the way its designers expected. Early mistakes and errors required terrible remediation. As an example, look at the difficulty involved in running a service like e-mail or DNS. E-mail requires all sorts of things to interoperate well, including SPF, DKIM, SSL, DNSBL's, etc., etc., and it is a complicated service to run self-hosted. DNS is only somewhat better, with the complexity of DNSSEC and other recent developments making for more difficulties in
On Saturday, 30 May, 2020 13:18, Joe Greco <jgreco@ns.sol.net> wrote: maintaining
self-hosted services.
I've been running my own DNS and e-mail for more than a quarter century. Contrary to your proposition it hasn't gotten much more complicated over than time. -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
On Sun, May 31, 2020 at 10:07:41AM -0600, Keith Medcalf wrote:
On Saturday, 30 May, 2020 13:18, Joe Greco <jgreco@ns.sol.net> wrote:
The Internet didn't evolve in the way its designers expected. Early mistakes and errors required terrible remediation. As an example, look at the difficulty involved in running a service like e-mail or DNS. E-mail requires all sorts of things to interoperate well, including SPF, DKIM, SSL, DNSBL's, etc., etc., and it is a complicated service to run self-hosted. DNS is only somewhat better, with the complexity of DNSSEC and other recent developments making for more difficulties in maintaining self-hosted services.
I've been running my own DNS and e-mail for more than a quarter century. Contrary to your proposition it hasn't gotten much more complicated over than time.
Really? Because nowadays, there's all this extra crap that didn't used to exist.
From my perspective, it's gone from "configure Sendmail on your Sun workstation and compile Elm (back in the '80's)" to something a lot more complicated.
Now you need to sign your mail with DKIM, have SPF records, and even if you cross all the T's and dot all the I's, you can expect your mail to be rejected at some major mail sites because the LACK of a consistent high volume of mail being sent by your site is actually scored against you. On the inbound side, you now need to be filtering your mail with Spamassassin and DNSBL's, and also virus scanners because it's likely some of your users won't be. You need to support both IMAP _and_ webmail if you want to be able to support users, because we are now in that "post-PC" era where people expect to be able to sit down at an arbitrary PC and have an experience on par with that of any of the mail service providers. I've watched in dismay as many technically competent sysadmins, and even whole service providers, have given up and outsourced e-mail, because it is so difficult to do well. Even Apple finally ditched their OSX Server product's email services, which had for years been one of my best examples of "it's still possible to run this yourself." If this is your idea of "hasn't gotten much more complicated", I salute your technical prowess. It's not that I want this to be the status quo, but I'm also not so blind as to deny what is going on. :-( ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
participants (9)
-
Constantine A. Murenin
-
Havard Eidnes
-
Joe Greco
-
John Sage
-
Keith Medcalf
-
Mark Milhollan
-
Rubens Kuhl
-
Ryan Hamel
-
Saku Ytti