New chapter of my router project if you don’t care to follow it you probably don’t want to read this at all.
Libero – or Infostrada, Wind, how the heck do you want to call it today – is my provider. Like other providers in Italy, who have probably noticed their users using OpenDNS instead of the standard DNS they provide, they started providing “captive redirects” on failed urls: when you mistype an URL or you try to access an hostname that does not exist, they redirect to their own servers, using their own “search engine” (nowadays just a Google frontend!).
This breaks quite a few assumption, included the fact that the .local
domains won’t resolve in the standard DNS servers, which in turn makes nss-mdns
almost unusable.
Up to a couple of months ago, Libero only provided this service in the primary nameserver, and if you switched around primary and secondary servers, you sidestepped the issue (that was the actual advertised procedure by the Libero staff, on the public page that was linked from within the search results). Unfortunately this had other side effects, for instance the time needed for the update of records more than doubled, which was quite boring with dynamic DNS and with newly-created domains.
Luckily, pdnsd supports blocking particular IP returned by the results to avoid the fake records created for captive redirects, and the example configuration file itself provides an example for using that with OpenDNS to avoid falling into their redirected Google host (quite evil of them in my opinion). And in particular, at the time, there was only one host used for captive redirect, so the rule was quite simple.
Fast forwards to today, the rule have changed; first of all it seems like Libero now uses redirects on both servers (or the secondary fails so often that it always responds from the primary), and most importantly they increased the number of IPs the redirects respond from. After counting four different IPs I decided to go with something more drastic, and ended up blacklisting the whole /24
network that they belong to (which is assigned, in RIPE, to Tiscali France… which is quite strange). I’m not sure if I ended up blacklisting more than I should have; for now it blacklists just enough for me to keep on browsing the net without adverse effects that I can see, and it also no longer stop me from enjoying .local
domains… and Firefox auto-search with Google when the hostname does not exist.
For those interested, the configuration section is this one:
server {
label= “libero”;
ip = 193.70.152.15, 193.70.152.25;
proxy_only=on;
timeout=4;
reject = 195.210.87.131/32, 62.210.183.0/24;
}
The first IP (a single host) is the one that was used earlier, I keep it on the blacklist just to be on the safe side.
What a mess. My provider, Comcast, started doing this a few weeks ago, but luckily, they still offer an opt-out system that works.IMHO, offering Internet service that isn’t compliant with how the Internet works should be considered false advertising, and therefore illegal.You have to love monopolies, eh?
Wouldn’t it be simpler to just use your own DNS resolver (eg. Bind in default configuration) instead of forwarding queries to your ISP and then hacking the results?
That’s exactly what I was about to ask – why not running your own DNS server ?
Beside the fact that a recursive DNS server takes _quite_ more time than using a local caching server (my ISP’s), and I could feel that hit when I tried it for a while…I’m not sure whether it’s something happening by design or by mistake, but when there is heavy load, my ISP seems to discard UDP DNS requests that don’t go to their own DNS servers… this includes both OpenDNS servers _and_ root name servers… so running my own server is not really an option.And never in my sane mind I would dream of using bind anyway 😉
WRT to caching DNS requests, I don’t feel slowdown with my own DNS. It has its caches so it goes only after new, unseen names.Which takes a split second here and there, but that is relatively rare.WRT to your ISP: Maybe it’s time for some high-explosive application ? ;o)Seriously, where have you found those clowns ?I don’t really have high high opinion about church, but local preasts here have beaten everyone else by investing in “T-2” our ISP that kicks ass.I have here VDSL 22/1 ( couldn’t get fiber here), over which I get VoIP, TV and 8/1 internet for peanuts. And IIRC 4 IP adresses- static.And there is practically no filtering.At home I could manage to get to fiber, so I’ve got 100/100 fiber – for €40/month. Also without any kind of filtering that I could see…
These “clowns” are actually one of the best providers you can find for personal use, without ending up spending over €200/month.Now you can guess how the situation is with the rest of the bunch 🙁
What kind of connection do you have ? I’ve found NGI to be pretty good and not much more expensive than the average
Last I checked NGI, while guaranteeing the bandwidth, costed between 3 and 4 times more than Wind. Which is just unacceptable, given at the end I pay a lot less for almost the same (de facto) bandwidth (which is nowhere near what they promise of course).
Regarding .local addresses, Ubuntu has this line in /etc/nsswitch.conf:hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4which means .local addresses are resolved before using DNS.
I got the same line, the problem is that it only works when either expliciting the local part (yamato.local), or if you add it with the search option in resolv.conf.Without the search option, it’ll try just “yamato”, mdns4_minimal would reject it, then dns would find the captive redirect.By the way, nss-mdns requires a restructuration, I also started working on it, but Lennart says it’s a long way before it’s useful.