« Another modem bites the dust | Home | Miyaku »

Back on the air

Wed 16 Jun 2010 by mskala Tags used:

I'm posting this over the new cablemodem connection. The installation went reasonably well; the installer as such came in and did his job and didn't give me a hard time about not having a consumer-level computer setup. There was an extra guy called the "Inspector" who seemed to thoeretically be there to rate the installer's performance, but actually just spent an hour watching me play Freecol while the installer hooked up the wires. I could have done without that and no doubt the installer could have too, but whatever.

IP connectivity even easier than with the DSL, because the cable modem provides a DHCP lease directly over Ethernet, whereas the DSL I'd been using was PPPoE. But every silver lining has its thorn, and it's probably a good thing I didn't discover this one until after the installer and the inspector left, because there would have been nothing they could do about it and they didn't need to hear my cussing at their bosses.

It turns out that Rogers's DNS servers do not return failure on failure, but instead they return the address of a co-branded Yahoo search engine. As a result, when my firewall box downloaded the backlogged email and passed it to its local Sendmail, the local sendmail looked up the name of my desktop machine, which doesn't exist on the external DNS, and what was supposed to happen was that that would fail and then the local sendmail would look in its hosts file and get the 10.* address of the desktop machine and send the mail there. Instead, because the Rogers DNS doesn't return failure properly, it got the address of the co-branded Yahoo search engine and tried to send all my mail there. Fortunately, that machine didn't accept it.

In the short term I am working around the problem by using Google's public DNS instead of the one Rogers recommends in the DHCP lease. One big part of the problem is a mistake in my own configuration, and my fault: my local Sendmail shouldn't depend on external DNS resolution to send mail internally to the LAN. I don't know why the hosts file doesn't override DNS; surely it should look there first? More research is needed. Sendmail should probably be using a hardcoded IP address to reach the other local machine instead of looking it up anywhere, anyway. The lookup exists for a reason, but it looks like lossage from broken lookups is likely to be a bigger problem than lossage from hardcoding the address.

In the longer term I'll probably be setting up my own DNS rather than relying on the broken one provided by Rogers, or the probably unbroken, but not really trustworthy, DNS from Google. None of this excuses Rogers's configuration, though. If they purport to provide DNS, they ought to provide real DNS, which means returning failure when the lookup fails. It's especially offensive because it's clearly deliberate brokenness. They didn't just misconfigure their servers through incompetence or not caring; they had to go to a fair bit of effort to set up this bullshit on purpose. That doesn't give me a warm fuzzy feeling about doing business with them.


Anonymous coward
You can change lookup order for anything using the standard interface (sendmail might not, since on all systems I've tried, files precedes dns) by editing /etc/nsswitch.conf -- I have my 'hosts:' line reading 'files wins dns' so that local lookups work through Samba even though my cheap router unit doesn't have builtin DNS.

You can also run a local DNS server and just point it at the root servers or OpenDNS or something -- I hear OpenDNS is at least gaining popularity among people whose ISPs issue broken responses like this. It defaults to broken behaviour, but lets you turn it off. Anonymous coward - 2010-06-16 14:38
Thanks. I dug through the Sendmail book and that indirectly led me to the nsswitch file - but it already said "files dns" both in /etc and in the other directory where Sendmail seemed to be looking. So far I haven't figured out a way to make Sendmail *really* look at hosts in preference to DNS; but there are a lot of variables involved and it's quite possible I simply haven't followed all the steps properly. In the mean time, I've set up a local DNS. I'd probably want one of those anyway, since Rogers's is evidently not to be trusted. Matt - 2010-06-16 15:12
Tony H.
Do have a look at dsnmasq: http://www.thekelleys.org.uk/dnsmasq/doc.html . It'd be nice for some of its features to be unnecessary, but it does have, among other neat things, explicit code for what the evil Rogers does ( the -B option), and what Verisign did on a much larger scale back in 2003.

You can even run it on your Linksys firewall box - it's built into Tomato, for example.

As an aside, we signed up for Rogers business internet service at work as a backup to our "real" (fibre) ISP, and a number of tests suggest that even though it's provisioned over the same plant, the rules are much more, well, businesslike than the crap they serve up to their residential customers. I will try the "no such domain" and report back, but my recollection is that it returns a proper answer rather than some bogus Yahoo address. I did run a Glasnost test for several kinds of P2P packet blocking (bogus RST packets), and none of them detected anything. But there could still be other rate limiting going on. Certainly the Rogers business service has no SLAs and no statement that they won't diddle around with packets. I tried to get them to agree that they wouldn't, and they refused. Whereas our fibre ISP happily put it in writing. Tony H. - 2010-06-19 21:49

(optional field)
(optional field)
Answer "bonobo" here to fight spam. ここに「bonobo」を答えてください。SPAMを退治しましょう!
I reserve the right to delete or edit comments in any way and for any reason.