Google DNS versus ours - TekSavvy | DSLReports Forums (Page 6)

Author	All Replies
jabley join:2012-10-21 London, ON	reply to TSI Gabe Re: Google DNS versus ours There are several things going on, here. The resource record set (RRSet) that the ATA is looking for is unusually large. Large responses in the DNS are generally accommodated by either negotiating a large UDP response buffer with EDNS0 (see RFC 2671) or by setting the truncate bit (TC) to 1 in a response and forcing a second DNS request using TCP. Both these approaches have problems. Large UDP buffer sizes result in fragmentation, and fragmentation can be problematic. Many firewalls and other middleware make bad assumptions about 53/tcp, and hence TCP requests don't always work. So, solution 1: if I was callcentral, I would be reducing my response to that particular query to ensure that it fits in a 512 byte DNS response message without truncation. If they chose their server names more carefully they could still pack a good number of resource records in the ANSWER section by taking better advantage of label compression. The ATA described here appears not to support EDNS0 or TCP, so it has no capability of receiving large (complete) DNS responses. Not supporting TCP means not following the specification. The ATA is definitively broken, here. It violates RFC 1035. (I realise it's not unique in that. There are lots of bad DNS implementations in the world.) Solution 2: fix the ATA. It's broken. The fact that it has ever worked is a happy accident. BIND9's behaviour when it falls back to TCP is to set TC=1 in the response header, and to populate the answer section with as much as will fit. This response is intended to be interpreted as "this is not an accurate response, but here is a partial answer and you should use TCP to get the rest of it". Unbound's behaviour is not to return partial responses. It says "I can't give you a complete response, and I'm not going to risk giving you a partial answer because that might be bad, so you need to use TCP". Needless to say, this level of detail (how to populate the ANSWER section in a truncated response) is not really specified in RFC 1035, which is old. Technically, I think it's fair to say that both unbound and BIND9 are following the specification, as far as it goes. BIND9's behaviour here is more forgiving of the broken DNS code in the ATA. I don't see an option in unbound to emulate the BIND9 approach to this. Solution 3: choose different nameservers that behave as BIND9 does. Unbound is good, polished software in my opinion. It has performance advantages and is far harder to fool with cache poisoning attacks than BIND9. It's hard to argue that the correct solution here is to replace unbound with BIND9; in effect, that would be throwing out the benefits of unbound for all users simply to accommodate one buggy ATA that is used by a tiny minority.
	to forum · permalink · 2012-10-21 20:24:10 ·

mlord join:2006-11-05 Nepean, ON kudos:9 Reviews: ·Start Communicat.. ·TekSavvy Cable ·TekSavvy DSL	reply to TSI Gabe said by TSI Gabe: luckily though I'm at NANOG right now and am surrounded by geeks that deal with this on a daily basis...I'll ask around when I get the chance. Sounds like the Right Crowd to find a solution with, but I'm with you on this one -- risky to modify the DNS behaviour to accommodate a clueless voip provider, especially as there's a definite risk of breaking other stuff. Don't forget to go out for some Real Beef BBQ down that way, and let us all know if you manage to reverse engineer the famous fountains down town (if you grok the pattern, you can stride up the middle without getting wet!). Cheers!
	to forum · permalink · 2012-10-21 23:16:46 ·
OTIS3 join:2011-09-29 Reviews: ·TekSavvy Cable	reply to jabley said by jabley: simply to accommodate one buggy ATA that is used by a tiny minority. I don't think anyone has specifically mentioned any ATA models yet in this thread. For me personally, I'm using a Linksys PAP2T which is probably the most widely deployed ATA for home users. I'm not saying it is good or that Linksys/Cisco isn't known for having buggy devices. They are also not likely to fix it in a new firmware at this point.
	to forum · permalink · 2012-10-22 07:22:14 ·
wally_walrus join:2009-10-07 Orleans, ON	+1. Even though some / most models are "buggy" they are widely used, so efforts should be made to support them. I am using an SPA-3102
	to forum · permalink · 2012-10-22 08:35:19 ·
mlord join:2006-11-05 Nepean, ON kudos:9 Reviews: ·Start Communicat.. ·TekSavvy Cable ·TekSavvy DSL	said by wally_walrus: +1. Even though some / most models are "buggy" they are widely used, so efforts should be made to support them. +100 The PAP2T are very likely the most common "non locked" ATA devices out there, with their cousins the SPA-3102 also fairly prevalent. So it's not feasible to simply ignore them. Callcentric.com needs to do better. Meanwhile, anyone affected by this can just use a different DNS service, or run a copy of bind9 locally to relay from Teksavvy DNS without the issue of Teksavvy DNS. I just checked here, and my local bind9 service does return partial results just fine, but the stripped down DNS in my router does not. I imagine that folks running OpenWRT on their routers would have the option of adding bind9 service onto those, which would take care of it as well. Cheers
	to forum · permalink · 2012-10-22 10:03:32 ·
mlord join:2006-11-05 Nepean, ON kudos:9 Reviews: ·Start Communicat.. ·TekSavvy Cable ·TekSavvy DSL 1 edit	said by mlord: Meanwhile, anyone affected by this can just use a different DNS service, or run a copy of bind9 locally to relay from Teksavvy DNS without the issue of Teksavvy DNS. Or maybe TSI Gabe could channel the spirit of Teksavvy Past, and run bind9 on one server internally (doesn't need to be accessible outside of Teksavvy), and have it act as the authority for Callcentric.com for use by Teksavvy's public DNS servers. Hacky, and there are probably other similar/better workarounds that TSI Gabe could dream up.
	to forum · permalink · 2012-10-22 10:07:03 ·
TSI Gabe Premium,VIP join:2007-01-03 Chatham, ON kudos:2	Well jabley is with me at NANOG and his reply here is what came out of the conversation we had. The reality here is that clearcable is knowingly serving a large RRSET that doesn't fit in a 512 byte buffer and they also know that this results in a half broken DNS reply when using a few well known ATAs. I've also talked to a few more people, some of them that work for TLDs and to be honest the opinion that I've heard loud and clear so far is what the heck is clearcable doing. By far the easiest way to fix this would be for clearcable to shorten the RRSET reply by using the various methods that jabley highlighted above. While I'm not against "fixing" this in the spirit of being nice. This issue is only specific to using certain ATAs on the clearcable service. -- TSI Gabe - TekSavvy Solutions Inc. Authorized TSI employee ( »TekSavvy FAQ »Official support in the forum )
	to forum · permalink · 2012-10-22 10:43:38 ·
mlord join:2006-11-05 Nepean, ON kudos:9	+1
	to forum · permalink · 2012-10-22 10:52:28 ·
brad join:2007-09-06 Etobicoke, ON	reply to TSI Gabe sad Mac face kinda disappointed to see TSI's resolvers failing OARC's DNS reply size test. Boo Google and OpenDNS. TSI $ dig @206.248.154.22 +short rs.dns-oarc.net txt rst.x1002.rs.dns-oarc.net. rst.x1007.rs.dns-oarc.net. rst.x1012.rs.dns-oarc.net. rst.x1257.x1012.rs.dns-oarc.net. rst.x1228.x1012.rs.dns-oarc.net. Level 3 $ dig @4.2.2.2 +short rs.dns-oarc.net txt rst.x3827.rs.dns-oarc.net. rst.x3837.x3827.rs.dns-oarc.net. rst.x3843.x3837.x3827.rs.dns-oarc.net. "192.221.139.217 DNS reply size limit is at least 3843" "192.221.139.217 sent EDNS buffer size 4096" "Tested at 2012-10-22 21:01:17 UTC" home; dnsmasq -> BIND 9.9 (DNS64) -> my Unbound recursive resolver $ dig @192.168.3.2 +short rs.dns-oarc.net txt rst.x3827.rs.dns-oarc.net. rst.x4049.x3827.rs.dns-oarc.net. rst.x4055.x4049.x3827.rs.dns-oarc.net. "2001:470:1d:8c::13 DNS reply size limit is at least 4055" "Tested at 2012-10-22 21:01:58 UTC" "2001:470:1d:8c::13 sent EDNS buffer size 4096"
	to forum · permalink · 2012-10-22 17:05:15 ·
brad join:2007-09-06 Etobicoke, ON	reply to mlord said by mlord: Callcentric.com needs to do better. No, they don't. It's BYOD. You are responsible if you want to bring broken equipment to their service. If you want to use broken crap then you can support it.
	to forum · permalink · 2012-10-22 18:51:10 ·
TSI Marc Premium,VIP join:2006-06-23 Chatham, ON kudos:14	reply to TSI Gabe Gabe, what I don't understand is how come they're not signing up for our TekTalk service? -- Marc - CEO/TekSavvy
	to forum · permalink · 2012-10-22 19:34:18 ·
Guspaz Guspaz Premium,MVM join:2001-11-05 Montreal, QC kudos:20	reply to TSI Gabe Well, TekTalk is a residential service, and ClearCable is an enterprise service provider, so they're not really comparable products. -- Developer: Tomato/MLPPP, Linux/MLPPP, etc »fixppp.org
	to forum · permalink · 2012-10-22 19:58:22 ·
wally_walrus join:2009-10-07 Orleans, ON	reply to TSI Marc Marc, When your prices and service are going to match Callcentric's I'll switch in an instant
	to forum · permalink · 2012-10-22 19:59:41 ·
TSI Marc Premium,VIP join:2006-06-23 Chatham, ON kudos:14	reply to Guspaz We have all we need to do business phone... Expanded the MetaSwitch a month ago to do it.. Just playing around with it all to see what we'd like to offer. -- Marc - CEO/TekSavvy
	to forum · permalink · 2012-10-22 20:09:19 ·
TSI Marc Premium,VIP join:2006-06-23 Chatham, ON kudos:14	reply to wally_walrus What are you paying with them? -- Marc - CEO/TekSavvy
	to forum · permalink · 2012-10-22 20:09:37 ·
wally_walrus join:2009-10-07 Orleans, ON	All PAYG for the last month: Total: 289 min 0 min 141 min $5.5818 $0.0000 $5.5818
	to forum · permalink · 2012-10-22 20:26:57 ·
TSI Marc Premium,VIP join:2006-06-23 Chatham, ON kudos:14	What package are you getting from them? -- Marc - CEO/TekSavvy
	to forum · permalink · 2012-10-22 20:50:02 ·
wally_walrus join:2009-10-07 Orleans, ON 1 edit	No package at all - I pay by the minute (only for what I use), and - BEST THING - the balance never expires Their rates are at callcentric.com
	to forum · permalink · 2012-10-22 21:26:35 ·
neko All Hail Canada Premium join:2006-08-11 Canada Reviews: ·TekSavvy DSL	reply to TSI Marc I'm on PAYG, too. About $5 every month. Their back-end portal is fantastic with the call filtering options to prevent spam, re-route calls, free incoming/outgoing SIP, free voicemail. The list of features is outstanding. My favorite feature is the call filtering. They even support wilcard numbers which add a granularity to the service that I find very useful. They are rated as the best VOIP provider on DSLR. -- ...virtue gives you heraldry.
	to forum · permalink · 2012-10-23 01:36:06 ·
OTIS3 join:2011-09-29 Reviews: ·TekSavvy Cable	reply to TSI Marc I'm also on the pay as you go with CallCentric. I pay $1.95 for my DID, $1.50 for E911, and most calling is about $0.015 per minute. Most months costs me about $5. I prepay with paypal on my account usually $50 and lasts at least a year, so its also one more bill I dont have to think about. They will send me an email when the balance in my account is low. Also, as others have mentioned, the customer portal is really good. The amount of options is great. Rarely do I get telemarketers or credit cards scams calling, but if they do, its only 30 seconds to add them to a block list.
	to forum · permalink · 2012-10-23 09:30:15 ·

O Canada! > Canadian > TekSavvy > Google DNS versus ours

Re: Google DNS versus ours