Open DNS blocking some BBC DNS addresses

If anyone who is using Open DNS finds that pages from the BBC start to look odd this is because Open DNS are blocking one of their domains due to a reported threat.

A way to check this is (in Chrome) to try to open the image URL from the broken image graphic. You should then get a page from Open DNS telling you this is blocked.

Think the domain in question is static.bbci.co.uk but can't check as I have changed my DNS to Google which fixed the problem.

Regards

Anthony

Thanks for the information. I spent ages trying to work out what was causing the problem, but have now changed DNS servers and it's fixed it.

You might find the following article interesting;

Get your DNS in order!

There can be significant performance hits beyond increased lookup time by using a remote third party DNS server compared to your own or your ISP's.

I found using opendns made browsing slightly faster, although i guess it depends how good/bad your ISPs DNS servers are

In reply to a post by caffn8me:

You might find the following article interesting;

Get your DNS in order!

There can be significant performance hits beyond increased lookup time by using a remote third party DNS server compared to your own or your ISP's.

Namebench will tell you which is fastest for you..
https://code.google.com/p/namebench/

I run my own DNS servers so they are probably the fastest

In reply to a post by caffn8me:

I run my own DNS servers so they are probably the fastest

Well yes but where do they get their DNS information from, the root servers?

There is a local "hint" file which directs the server to the root servers and my server will then query whichever DNS server is authoritative for each domain lookup requested. It works in exactly the same way as most ISPs' nameservers.

My laptop runs BIND on bootup so my DNS server for my laptop is 127.0.0.1

This works most of the time but some wi-fi hotspots block clients from using any DNS except their own.

I also run my own DNS server (in the sense a configurable one.... technically most people are actually running a DNS server at home i.e., their router), but I found that using Zen DNS as a forwarder was consisderably quicker than using the root hints, so that's what I do.

I found that using Zen DNS as a forwarder was considerably quicker than using the root hints, so that's what I do.

Having thought about why this would be faster, I think I see why you have done this. Basically, you're using the assumption that most other Zen customers will be using Zen name servers, and that most other customers will be visiting the same sites as you (Facebook, YouTube, Twitter etc), from the same geographical location (UK, obviously) as yourself. Thus, when the cache expires on your local network resolver, it will forward the request to Zen (very close). Zen will most likely already have a cached result to send back to you from other customers' browsing requests, so you get a fast reply back to your resolver and LAN clients.

Just using a stand alone caching root/hint server setup (like I do), this extra layer of querying is unlikely to be of the same volume so more often than not, when cache does expire for a site, a root/hint resolver will have to go all the way back to the root servers again to return a lookup once more. Granted, this lookup delay is only going to occur once every one to three days (TTL of root servers), but it will happen more often on that setup compared to a DNS forwarding one like you have.

Food for thought I guess. The only thing I don't like about a forwarding setup is that I'm relying on servers I don't have control over. At least I know when something isn't loading (due to DNS), it's more than likely my fault (to have all 13 root servers to be out of service is almost a complete impossibility).

All in all, I would say your setup is probably -the- best possible setup to have in terms of speed, provided Zen's name servers remain 100% reliable. A direct local root/hint resolver would come second.

Edited by deleted (Tue 24-Dec-13 21:18:39)

Also this: https://www.grc.com/dns/benchmark.htm
It can also find the fastest DNS servers for you. Takes ages, so leave it running overnight.

The reasons you mention are exactly why I went with this setup indeed, when you unravel it logically, on performance grounds, it makes sense to do it that way. Except I don't use facebook and twitter though

I actually benchmarked it using the GRC tool at the time too, the differences were quite non-trivial when using root hints compared to a forwarder. I tried a few ISPs forwarders actually and most of them were still quicker than using root hints. The main reason is going to be geographical, using root hints is going to result in lots more queries to the US and other countries, like you say using Zen as a forwarder - most of them will be cached, and if it does need to go and grab a new one, it is better their server in a datacentre doing the legwork contacting DNS servers around the world etc rather than my 8Mbps ADSL connection

And yes, the most important assumption is that Zen are running their DNS servers properly, so far I've not seen anything to the contrary, but if they do pull any stunts like redirection, filtering, etc I would be the first to move it away rest assured!

If both of Zen's forwarders aren't available mine is set to fall back to root hints, though if both of Zen's DNS servers were down there is a good chance my brodband connection with them might also be too

I also run DHCP on that server too... Things just work so much nicer.

Edited by Pipexer (Tue 24-Dec-13 22:11:37)

Good ideas there, so I've gone with them.

I run dnsmasq on my Linux router. I've reworked that with a list of forwarding nameservers it should use (AAISP in this case, both IPv4 and IPv6 addresses). On the end of those, I've stuck ::1 and 127.0.0.1 as a fall back (my root/hint caching server, which is unbound, bound to the IPv4 and IPv6 localhost interfaces of the router).

So the upshot is, dnsmasq will now query AAISP DNS servers, and cache results. If they go down, it will fall back to unbound (root/hint caching server), by querying on the localhost interfaces.

I also have some other funky custom firewall configuration which I've applied onto the router. Anything on port 53 is caught and is redirected to dnsmasq. So if I have some nasty piece of malware that decides to try and take over a device by placing malicious DNS server entires into the device, that will get caught, and redirected to dnsmasq on the router, regardless of what those malware DNS servers are. A nice safety net to have I reckon.

I also have some further fancy custom configuration where I can, on a per client MAC address basis, round robin forward requests (directly using the Linux firewalling sub-system this time) to one or more DNS servers. So for example, I can force my iPhone to use OpenDNS (round robin-ing requests to all 4 IP addresses they have) and have my laptop forced to use Google DNS. Basically, I can customise each device to use what ever DNS service required. I suspect not many people have this level of granularity, but it is a pretty cool feature.