2degrees DNS - no DNS over TCP using broadband (Wellington)

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › 2degrees DNS - no DNS over TCP using broadband (Wellington)

CodeSourcerer

138 posts

Master Geek
+1 received by user: 49

#293760 11-Feb-2022 21:51

Hi,

I've found that sending TCP DNS queries to the (new) 2degrees DNS resolvers does not work on broadband - dig reports that the connection times out.
Can anyone else replicate this? (The broadband connection is in the Wellington region)

I don't encounter any issues sending UDP DNS queries to the new 2degrees DNS resolvers, nor do I encounter any issues sending TCP or UDP DNS queries to the old 2degrees DNS resolvers.

I also don't encounter any issues sending TCP or UDP queries to the new 2degrees DNS resolvers using my phone (on 2degrees mobile data) tethered to my laptop.

(To be clear, there are no problems with general day to day internet usage that I have experienced. What this breaks is e.g. large UDP DNS responses that are truncated and retried with TCP)

freitasm

BDFL - Memuneh
80657 posts

Uber Geek
+1 received by user: 41069

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2866695 11-Feb-2022 22:11

Is there any documentation indicating they should work over TCP?

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

CodeSourcerer

138 posts

Master Geek
+1 received by user: 49

#2866702 11-Feb-2022 22:32

freitasm: Is there any documentation indicating they should work over TCP?

RFC 1123, section 6.1.3.2 "Transport Protocols"

For related reading: "DNS Flag Day 2020" and the associated blog posts by APNIC and Cloudflare.

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#2866703 11-Feb-2022 22:37

Actually, I am wondering if this is a recent change. Something changed which basically broke my DNS servers on my network and I was seeing a whole lot of timeouts to 2degrees DNS servers (new). I do generate a fair few requests given my network is quite big. In the end to resolve this I set up unbound locally here + my DNS servers talk over UDP/TCP.

I know this isn't too helpful, but I think @pwner may be able to provide some more insight.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

freitasm

BDFL - Memuneh
80657 posts

Uber Geek
+1 received by user: 41069

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2866727 11-Feb-2022 23:05

Thanks, I understand that. My question should be “did they ever work this way"?

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

aspired

33 posts

Geek
+1 received by user: 46

ID Verified

Trusted

2degrees

#2866729 11-Feb-2022 23:18

Thanks team for the heads up. I’ll look into this

pwner

423 posts

Ultimate Geek
+1 received by user: 96

Trusted

2degrees

#2867994 14-Feb-2022 10:01

michaelmurfy:

Actually, I am wondering if this is a recent change. Something changed which basically broke my DNS servers on my network and I was seeing a whole lot of timeouts to 2degrees DNS servers (new). I do generate a fair few requests given my network is quite big. In the end to resolve this I set up unbound locally here + my DNS servers talk over UDP/TCP.

I know this isn't too helpful, but I think @pwner may be able to provide some more insight.

@aspired is the best person to look at this and looks like he is already onto it.

Any posts are personal comments and not that of my employer

HP

Shop now for HP laptops and other devices (affiliate link).

MadEngineer

4591 posts

Uber Geek
+1 received by user: 2570

Trusted

#2868071 14-Feb-2022 10:38

freitasm: Is there any documentation indicating they should work over TCP?

https://datatracker.ietf.org/doc/html/rfc1034

You're not on Atlantis anymore, Duncan Idaho.

freitasm

BDFL - Memuneh
80657 posts

Uber Geek
+1 received by user: 41069

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2868110 14-Feb-2022 11:45

Yes, my question is if 2degress ever documented it should work with their network and if it worked before.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2868131 14-Feb-2022 12:02

DNS is meant to work on either TCP or UDP. TCP is typically used for large queries only as UDP is more efficient. Supporting only UDP means some queries may fail.

CodeSourcerer

138 posts

Master Geek
+1 received by user: 49

#2934312 25-Jun-2022 16:42

I'm back on a 2degrees broadband connection (been away for a few months), and the original post is still applicable.

Just wondering if anyone else can still replicate this (minor) issue?

As an example, `dig +tcp @111.69.69.69 a www.google.com.` replicates the issue for me. (The server address can be replaced with any of the other new DNS resolver addresses, and the DNS query itself (i.e. querying the A record for www.google.com.) doesn't matter.)

(I am saying 'Wellington region' broadly - I don't want to provide a more granular location in public.)

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2934335 25-Jun-2022 18:40

I'm in the Wellington area, it looks to me like 2degrees DNS doesn't support TCP. Is this actually causing a problem for you? Maybe you should just use Google / CloudFlare DNS?

AliExpress

Shop now on AliExpress (affiliate link).

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 842

Trusted

Lifetime subscriber

#2934452 25-Jun-2022 22:14

ethanbmnz: ... Can anyone else replicate this? (The broadband connection is in the Wellington region) ...

Also happening in the Auckland region.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

fe31nz

1294 posts

Uber Geek
+1 received by user: 423

#2934511 25-Jun-2022 23:49

I am in Palmerston North and am not getting DNS over TCP either. It is not the most important thing in the world for it to work, but there are certain edge cases of very large queries that will only work over TCP and as I understand it most DNS clients will automatically try TCP when a UDP request fails for that reason. I thought all the standard DNS servers supported TCP connections by default as it is part of the standard, so for it not to work on 2degrees means they have misconfigured something - maybe some firewall rules?

olivernz

512 posts

Ultimate Geek
+1 received by user: 177

ID Verified

Trusted

Lifetime subscriber

#2934992 27-Jun-2022 17:35

Nope, no TCP resolution in Kapiti over TCP. But as stated above I tend to use DoH to Cloudflare & Quad9. Of course all behind PiHole ;o)

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#2934998 27-Jun-2022 17:53

@olivernz Have a look at https://nextdns.io/ - that is what I am using to supplement PiHole (I also use DoH). Also handy if you have multiple networks (eg, Guest WiFi) as you can set different profiles to each without the need to spawn additional PiHole instances.