Community home

OwenMcShane · ‎13-04-2017

Hi,

I posted this earlier but it was removed. Here it is again, this time without reference to another broadband provider by name, in case that was the reason it was deleted:

Hi,

My Vodafone broadband went live yesterday.

I run a mail server for my own domain name, the hostname of which is managed using a dynamic dns service, which is receiving mail fine after the switch over, and setting up the relevant port forwarding on the router.

However, I also run a caching name server for my local network, which I have also set to be authoritative for my domain. This is so my portable devices receive the public facing IP of the router when I am away from my network, but when I am at home, they used to receive the private ip of the mail server when it was looked up. This obviously avoids any need to constantly be swapping mail server details from hostnames to ip addresses and vice versa depending on location.

In order for this to work, I need to be able to tell the Vodafone router to issue my DNS server via DHCP to the clients on my network. There does not appear to be an option to do this. There is an option to change DNS servers, but that appears to be just the ones the router itself uses for recursion.

An equally big problem is that since switching to vodafone my name server is no longer able to do recursive lookups:

$ host mail.google.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

Host mail.google.com not found: 2(SERVFAIL)

Looking up hosts in my domain is fine:

$ host mail.XXX.org.uk 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

mail.XXX.org.uk has address 192.168.1.25

(Incidentally, using the Vodafone router's DNS produces the public view, as expected:

$ host mail.XXX.org.uk 192.168.1.1
Using domain server:
Name: 192.168.1.1
Address: 192.168.1.1#53
Aliases:

mail.XXX.org.uk is an alias for XXXuk.ddns.net.
XXXuk.ddns.net has address 90.255.100.xxx

It appears as though recursion from my name server through the root servers is being blocked either by Vodafone somewhere upstream, or the router itself:

A dig at the router produces the expected root name server results:

$ dig @192.168.1.1

; <<>> DiG 9.8.1-P1 <<>> @192.168.1.1
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38632
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 28354 IN NS h.root-servers.net.
. 28354 IN NS m.root-servers.net.
. 28354 IN NS i.root-servers.net.
. 28354 IN NS e.root-servers.net.
. 28354 IN NS d.root-servers.net.
. 28354 IN NS k.root-servers.net.
. 28354 IN NS a.root-servers.net.
. 28354 IN NS f.root-servers.net.
. 28354 IN NS j.root-servers.net.
. 28354 IN NS c.root-servers.net.
. 28354 IN NS l.root-servers.net.
. 28354 IN NS g.root-servers.net.
. 28354 IN NS b.root-servers.net.

;; Query time: 32 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Apr 13 10:45:29 2017
;; MSG SIZE rcvd: 228

Whereas, my server fails:

$ dig @127.0.0.1

; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14951
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;. IN NS

;; Query time: 32 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 13 10:45:39 2017
;; MSG SIZE rcvd: 17

So basically I have two problems:

1) My name server can not perform recursive lookups due to some configuration either at Vodafone, or on the router.

2) I am unable to issue my own name server to clients via DHCP on the router. With my old router this was very simple. I could set up my own DHCP server and disable DHCP on the router, but I am still left with problem #1

Can anyone please shed some light on these two issues?

If problem #1 is some hard coded configuration on the router, then I would be more than happy to go back to using my old router for connection, as it is a lot more configurable.

I would obviously require login credentials for this, which I understand is not Vodafone's policy to provide. However, unless this can be resolved by some means, I am missing basic functionality that I require.

My transfer to Vodafone went smoothly, and apart from the two items listed above, I have no other current problems. However, clearly I am still well within my cooling off period, so I would appreciate some input from somebody technical at Vodafone regarding this before I consider my options.

Thanks.

OwenMcShane · ‎18-04-2017

@JamieSW wrote:

I also wanted to override the "default DNS" on the router for some devices but regardless of what DNS I send to devices via DHCP ("options-dns-servers") the router seems to redirect any DNS queries to the default DNS.

Hi Jamie,

Not sure what DHCP server you're using, but I'm using the ISC one under Ubuntu and

"option domain-name-servers 192.168.1.2;" is working for me.

192.168.1.2 is my name server, and is giving authoritative answers for hosts in my domain.

Anything it doesn't know is sent on to the router via the forwarders option in bind.

JamieSW · ‎18-04-2017

Yes, that bit works for me (DHCP server gives out DNS to the clients, and they can see it). The problem is that whichever DNS server a client on the LAN tries to send its request to, at the router level that destination appears to be stripped out and sent on to the "router default" DNS and that's the one that replies.

So, when I try to have one LAN client sending DNS requests to say 8.8.8.8 (Google) and another to 192.168.1.1, all requests end up going to the same place, which is wherever the router chooses to send them.

The practical implication is that I can't have strict DNS-based content filtering for the younger children while using a different DNS content filter for the older teenagers. Which I could do with my previous provider's router as that didn't mess with DNS requests.

OwenMcShane · ‎18-04-2017

@JamieSW wrote:
So, when I try to have one LAN client sending DNS requests to say 8.8.8.8 (Google) and another to 192.168.1.1, all requests end up going to the same place, which is wherever the router chooses to send them.

The practical implication is that I can't have strict DNS-based content filtering for the younger children while using a different DNS content filter for the older teenagers. Which I could do with my previous provider's router as that didn't mess with DNS requests.

Oh right. So are the name servers you are trying to issue to the clients external to your network?

It looks like our issues are different. I'm mainly concerned about my clients getting the local (private) DNS flavour of my domain. I'm not too bothered about what name server answers for anything else, although I would prefer all requests were resolved in house for privacy of information purposes, but either the router or the VF network are not allowing me to do that.

OwenMcShane · ‎06-06-2017

Well, since I got my own router up and running this morning (after being given an incorrect password yesterday, and spending a day thinking I couldn't set up a router if you paid me), I'm very pleased to say that my recursive DNS problem is now a thing of the past, and I no longer need to use 192.168.1.1 as a forwarder:

$ host mail.google.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

mail.google.com is an alias for googlemail.l.google.com.
googlemail.l.google.com has address 216.58.204.5
googlemail.l.google.com has IPv6 address 2a00:1450:4009:80c::2005

So it would appear that it was the Vodafone Connect router that was prohibiting such behaviour.

I'm still runnning my own DHCP server, but now I have a router that can issue my local DNS server via DHCP, I may revert back to doing that,

infamousgrouse · ‎04-05-2018

sadly this issue still exists. it appears that there is deliberate DNS interception taking place;

# dig +trace vodacone.co.uk

; <<>> DiG 9.11.3-1-Debian <<>> +trace vodacone.co.uk
;; global options: +cmd
. 3600000 IN NS L.ROOT-SERVERS.NET.
. 3600000 IN NS E.ROOT-SERVERS.NET.
. 3600000 IN NS D.ROOT-SERVERS.NET.
. 3600000 IN NS J.ROOT-SERVERS.NET.
. 3600000 IN NS H.ROOT-SERVERS.NET.
. 3600000 IN NS C.ROOT-SERVERS.NET.
. 3600000 IN NS M.ROOT-SERVERS.NET.
. 3600000 IN NS B.ROOT-SERVERS.NET.
. 3600000 IN NS K.ROOT-SERVERS.NET.
. 3600000 IN NS I.ROOT-SERVERS.NET.
. 3600000 IN NS F.ROOT-SERVERS.NET.
. 3600000 IN NS G.ROOT-SERVERS.NET.
. 3600000 IN NS A.ROOT-SERVERS.NET.
couldn't get address for 'L.ROOT-SERVERS.NET': not found
couldn't get address for 'E.ROOT-SERVERS.NET': not found
couldn't get address for 'D.ROOT-SERVERS.NET': not found
couldn't get address for 'J.ROOT-SERVERS.NET': not found
couldn't get address for 'H.ROOT-SERVERS.NET': not found
couldn't get address for 'C.ROOT-SERVERS.NET': not found
couldn't get address for 'M.ROOT-SERVERS.NET': not found
couldn't get address for 'B.ROOT-SERVERS.NET': not found
couldn't get address for 'K.ROOT-SERVERS.NET': not found
couldn't get address for 'I.ROOT-SERVERS.NET': not found
couldn't get address for 'F.ROOT-SERVERS.NET': not found
couldn't get address for 'G.ROOT-SERVERS.NET': not found
couldn't get address for 'A.ROOT-SERVERS.NET': not found
dig: couldn't get address for 'L.ROOT-SERVERS.NET': no more

# dig +trace vodafone.co.uk @202.12.27.33

; <<>> DiG 9.11.3-1-Debian <<>> +trace vodafone.co.uk @202.12.27.33
;; global options: +cmd
. 3600 IN NS FWDR-255.FWDR-255.FWDR-255.FWDR-90.
. 3600 IN NS FWDR-90.FWDR-255.FWDR-255.FWDR-90.
couldn't get address for 'FWDR-90.FWDR-255.FWDR-255.FWDR-90': not found
;; Received 184 bytes from 202.12.27.33#53(202.12.27.33) in 2 ms

. 3600 IN NS FWDR-255.FWDR-255.FWDR-255.FWDR-90.
. 3600 IN NS FWDR-90.FWDR-255.FWDR-255.FWDR-90.
;; BAD (HORIZONTAL) REFERRAL

(lots of this)

couldn't get address for 'FWDR-90.FWDR-255.FWDR-255.FWDR-90': not found
;; Received 199 bytes from 90.255.255.255#53(FWDR-255.FWDR-255.FWDR-255.FWDR-90) in 5 ms

. 3600 IN NS FWDR-255.FWDR-255.FWDR-255.FWDR-90.
. 3600 IN NS FWDR-90.FWDR-255.FWDR-255.FWDR-90.
;; BAD (HORIZONTAL) REFERRAL
dig: too many lookups

i was on the phone with support last night and they 'promised' that they would get back to me with the vpi/vci + username/password details asap; it seems that their systems 'magically' crashed when this information was requested. so far it hasnt been made available.

are DNS requests part of the data-gathering requirements laid out in the snoopers charter?

Smir · ‎04-05-2018

I have issues with my internet since joining vodafone, were as previously fine on Sky,

took months, untill I decided to email a manager, but it was the wrong department, they still sorted it for me and put it in the right hands, you will want to get hold of someone called [Removed] he's a Senior Manager and fixed my issue within a few days, after months of sending them pointless tests results.

MOD EDIT: This post has been edited to remove personal information

Mark · ‎07-05-2018

Did your issue get resolved when we called you @infamousgrouse?

infamousgrouse · ‎07-05-2018

@Mark wrote:
Did your issue get resolved when we called you @infamousgrouse?

i haven't been called, so the issue remains unresloved.

Mark · ‎08-05-2018

I'm sorry the adviser didn't call you back when access to the system requied returned.

So we can help provide the information required, please send us your details by following the instructions in this private message and we'll be in touch.

delta-mike · ‎17-04-2017

Hi,

I've similarly migrated these past few days to Vodafone's Business FTTC broadband service from the Demon Business ADSL service, and have also had problems using the local DNSSEC-validating recursive resolver on my servers.

The problem appears to be that responses to UDP DNS queries from inside my local LAN are being corrupted in flight. Specifically, they appear to be being truncated to 512 bytes, I suspect by the local Vodafone router. I suspect that the NAT/firewall code on the local router is at fault., and this is preventing secure DNS resolution.

On my Linux server, located behind the provided Vodafone router, I can use the standard DNS query command 'dig' to demonstrate this problem.

For example, when I run `dig -t DNSKEY . @8.8.8.8`, I receive the following response:

;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.10.3-P4-Debian <<>> -t DNSKEY . @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58389
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: Message has 209 extra bytes at end

;; QUESTION SECTION:
;.                              IN      DNSKEY

;; ANSWER SECTION:
.                       157119  IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=

;; Query time: 65 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 17 16:38:22 BST 2017
;; MSG SIZE  rcvd: 512

Note the bits I've highlighted in bold. These indicate that the response received from the external DNS server is malformed. Specifically, it could only extract one DNSKEY record from the response, and the size of the response message was exactly 512 bytes, and had more than 200 bytes at the end that it couldn't extract useful information from. If I change '8.8.8.8' to any other recursive DNS resolver, including the IP address of the local router, the same result occurs.

Compare exactly the same query retrieved from the same external recursive DNS resolver obtained over TCP:

; <<>> DiG 9.10.3-P4-Debian <<>> -t DNSKEY . @8.8.8.8 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27269
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;.                              IN      DNSKEY

;; ANSWER SECTION:
.                       86233   IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
.                       86233   IN      DNSKEY  256 3 8 AwEAAZLsvvPf/WDYE8L8ZUOiXEN9PSg3Nqyqu8WWKVu4LIvPW77Y0W1m BgmroFEHxzA9zM2edQbYIFhj536sx3fj1bx4n8yKwQ0y1MYkXvgU3aKW f0jnm8qz5RPVa4iEUgP5og/70muAXmo38Ru10asc3SNtN2OlAT1Tivp+ U4JUlVA8ICvierUPg2Kgf2gtNFhuqMTx/IHrE5DdV+Z/rmHGqESe/mna DzHdFnKy7Ma5zcPTekmwZ86CnG+vNWMT6wiO56YSAaiHX0jSCjmkL7Jz T3xpp/vtoWLK1rir70i6NbsU48sPZOHLfhwzbownewAsng0QqMOcVcmh l6ifE3C/vjE=

;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 17 16:43:39 BST 2017
;; MSG SIZE  rcvd: 578

This works because the router is not incorrectly truncating the response to 512 bytes. Note that the true message size for the response to this query is 578 bytes, and that given the untruncated packet, `dig` is able to successfully retrieve both DNSKEY records for the DNS root zone.

This problem is forcing me to downgrade my DNS resolvers, because the larger query responses with the security keys and signatures needed for secure DNS resolution are being mishandled - even if the router isn't trying to handle the query directly handling itself. This is a potentially serious problem that could affect all kinds of DNS queries, not just those relating to DNSSEC.

I note that RFC 2671, the Internet standard that enables larger DNS responses, is now more than 17 years old. The routers Vodafone supplied to its customers really ought to be able to support such basic functionality.

At the moment, I don't have a solution for this problem. Is there a power-users admin interface to the Vodafone routers that might expose additional functionality?

Kind regards,
--dwm

Community home

Local recursive DNS and DHCP issues