[asterisk-users] one for your filters

Gordon Henderson gordon+asterisk at drogon.net
Thu Jun 24 03:20:08 CDT 2010 

On Wed, 23 Jun 2010, Steve Edwards wrote:

> On Wed, 23 Jun 2010, Gordon Henderson wrote:
>
>>>> Ouch. 82.0.0.0/8 is on my block list, available at:
>>>>
>>>> 	http://www.sedwards.com/class-a-block-list
>>>> 
>>>> If you don't need to receive packets from far away places, it's a great 
>>>> start.
>> 
>> I'd like to have a look, but can't - I think there may be issues with your 
>> registrar for your domain - from where I am, there are no glue records for 
>> the nameservers, therefore I can't look it up... Looks like it was last 
>> edited just over 4 weeks ago, so maybe some caches are starting to 
>> time-out...
>> 
>>> From whois:
>>
>>    Domain servers in listed order:
>>       DOMAIN0.SEDWARDS.COM
>>       DOMAIN1.SEDWARDS.COM
>> 
>> You need to supply the IP address of the nameservers (the glue records) if 
>> they're inside your own domain...
>
> I think I have the name servers configured correctly. I think you were having 
> difficulty because I was blocking everything from 195.0.0.0/8

> Please try again.

I have and get the same results.

DNS glue records are held by the registrar on the gTLD name servers, not 
your own servers - so (even though I can't access them), I should be able 
to see the IP addresses for your 2 name servers (DOMAIN[01].SEDWARDS.COM). 
The output of 'whois' should provide me with those IP addresses, but it's 
not.

See:

   http://en.wikipedia.org/wiki/Domain_Name_System#Circular_dependencies_and_glue_records

E.g. do a whois on my domain, drogon.net and you'll see

       ns1.drogon.net        195.10.225.68

which indicates the glue record is in-place for ns1.drogon.net - the glue 
is needed because otherwise no-one would be able to find ns1.drogon.net 
unless they already knew it's IP address - which they won't without the 
glue in the gTLD servers. Same for your nameservers - no-one can find 
domain0.sedwards.com unless they know it's IP address, and they can't find 
that IP address because they don't know the IP address of your nameservers 
- a circular dependancy that can only be broken by providing the IP 
address as glue in the gTLD server. This are probably working for some 
people right now because of caching going on - I suspect you made a change 
just over 4 weeks ago and that's a typical cache-time out for a lot of 
systems. Your site is going to drop off the Internet fairly soon unless 
you get the glue records in-place.

And I wasn't accessing from 195/8, but from 81/8. (Although I've tried 
from both places) Your filtering is far to wide-spread - you can't invite 
people to view things when you're blocking off a third of the Internet - 
including most of Europe. Well, you can, but then people are just going to 
whinge. That's as bad as what Earthlink or was it Verizon did a while back 
when they decided to reject all email from Europe on the flawed basis that 
more spam comes from Europe than the US. (It doesn't)

Gordon

More information about the asterisk-users mailing list