<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">DNS, by design, is generally speaking agnostic when it comes to providing answers to DNS questions. It would have to be a very deliberate edit to the “allow-query” option in the conf file to enable your construct
of a “DNS blacklist”. In an enterprise environment this type of defensive action seems best played at the edge where the firewalls live based upon actionable data and not in a conf file. But that is just me.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I read where a packet capture was performed but does no response include absence of reset packets?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">What did a traceroute show?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Can you place a rule to allow unfiltered traffic in and out from one of your IP’s for testing?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I am big fan of copying n pasting but it appears that you didn’t clean it all up when composing this email the BIND group. You indicate to the admins of quickfix8.com that quickfix8.com’s servers are “refusing”
the query. So which is it? No response or refusing? Because getting refused answer is better than nothing at all.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">In the end the issue may just resolve itself.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">:D<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Good hunting.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">John<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> bind-users [mailto:bind-users-bounces@lists.isc.org]
<b>On Behalf Of </b>Lightner, Jeffrey<br>
<b>Sent:</b> Tuesday, December 05, 2017 10:24 AM<br>
<b>To:</b> bind-users@isc.org<br>
<b>Subject:</b> Issue with AT&T IPs?<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We’re having issues send email to a user @SIDDHAFLOWERS.COM<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Investigation here shows that the issue we have is querying your name servers (both by name and by IP) are refusing to respond to our name servers.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Their name servers:<o:p></o:p></p>
<p class="MsoNormal">NS1.QUICKFIX8.COM<o:p></o:p></p>
<p class="MsoNormal">NS2.QUICKFIX8.COM<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Our name servers:<br>
DSWADNS1.WATER.COM<o:p></o:p></p>
<p class="MsoNormal">DSWADNS2.WATER.COM<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We find other name servers such as those as Google are able to query their name servers. Based on that I determined their name server IP (for both) is 74.124.202.236. However, if I attempt to reach port 53 (DNS) on that IP from our
name servers it simply fails to connect. Our Network Security engineer did a capture and shows we send packets but never get a response.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Interestingly further testing shows this is an issue from any of our AT&T provided IPs:<br>
12.44.84.194<o:p></o:p></p>
<p class="MsoNormal">12.44.84.213<o:p></o:p></p>
<p class="MsoNormal">12.44.84.214<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">12.44.84.216<o:p></o:p></p>
<p class="MsoNormal">But not from separate QTS Datacenter provided IPs:<br>
209.10.103.136<br>
209.10.103.148<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’ve reached out to the folks at QuickFix and am waiting to hear back but we’ve seen a similar issue on another domain using separate name servers. Is it possible there is some sort of blacklist for DNS (not email) that people might
be subscribing to that would cause them to block AT&T IPs? We can do queries from our DNS to most domains but have identified these 2 as problems so suspect there might be others.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">By the way, I can reach their mail server via command line connection to port 25 on its IP. The issue here is purely in querying the DNS servers which of course means mail programs can’t determine the MX records themselves.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Last night I did see some posts suggesting commenting out query-source but testing that didn’t do anything. We do have our query-source setup for random outbound ports and I verified last night that it still works based on the test site
for that.<o:p></o:p></p>
<p class="MsoNormal"><br>
Most of what I find about blacklisting is about spam blacklisting of mail servers not blacklisting of DNS server queries and it is the latter we are experiencing.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="line-height:10.0pt"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended
recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message
in error, and delete it. Thank you <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
</div>
</body>
</html>