Scott O'Brien

On a little side note to the tutorial series I’ve been writing up lately for building a ZFS fileserver. This one is about Why Google DNS is bad for your performance (well, depending on where you live)

A real quick run down, we all know what DNS does yeah? It translates domains like www.scottyob.com into IP addresses like 112.140.183.97. A DNS server has a job of translating these domain names to the IP addresses we can use.

Now, when it comes to Google DNS, if you believe in the propaganda http://code.google.com/speed/public-dns/ where Google DNS is said to

• Speed up your browsing experience
• Improve your Security.

What google doesn’t tell you is that it interferes with DNS servers that might try and give you a server that’s close to your home. I’ve been using Google DNS for months here at home, but only just have I decided against using it, and I’ll run through exactly what causes some performance issues.

I was trying to watch a program on iView on TPG’s internet connection. Now, TPG don’t have the best international links on peak times, so I first started getting frustrated at them for not letting me watch my iView program with buffer lags on my 8Mbit plan. I checked my Signal to Noise ratio and dropped packets, etc.. it was fine. I checked the bandwith going out on my ppp interface on the router to see if I was maxing out the net connection at home, but nope, that was fine too, so the problem must have been with TPG.

Looking at what was going on, I did a little traceroute to www.abc.net.au

traceroute: Warning: www.abc.net.au has multiple addresses; using 125.252.224.73
traceroute to a1632.g.akamai.net (125.252.224.73), 64 hops max, 52 byte packets
1 10.1.1.254 (10.1.1.254) 1.919 ms 1.260 ms 1.202 ms
2 * * *
3 202.7.173.17 (202.7.173.17) 27.056 ms 26.317 ms 26.693 ms
4 syd-sot-ken-crt1-ge-5-1-0.tpgi.com.au (202.7.162.173) 26.283 ms 26.884 ms 26.100 ms
5 ix-11-1-0-507.tcore2.tv2-tokyo.as6453.net (116.0.88.21) 153.325 ms 135.736 ms 126.568 ms
6 if-14-0-0-1720.core1.tv2-tokyo.as6453.net (209.58.61.121) 1481.461 ms
if-1-0-0-1715.core1.tv2-tokyo.as6453.net (209.58.61.125) 298.270 ms
if-14-0-0-1720.core1.tv2-tokyo.as6453.net (209.58.61.121) 282.141 ms
7 if-10-0-0-981.core3.hk2-hongkong.as6453.net (116.0.82.85) 208.232 ms
if-5-0-0.core3.hk2-hongkong.as6453.net (116.0.82.1) 199.170 ms
if-10-0-0-981.core3.hk2-hongkong.as6453.net (116.0.82.85) 206.027 ms
8 vlan31.icore1.hk2-hongkong.as6453.net (116.0.82.18) 219.937 ms 204.963 ms 196.273 ms
9 80.150.169.25 (80.150.169.25) 333.519 ms 306.138 ms 307.031 ms
10 80.156.224.6 (80.156.224.6) 358.402 ms 320.029 ms 349.133 ms
11 a125-252-224-73.deploy.akamaitechnologies.com (125.252.224.73) 332.188 ms 331.008 ms 314.833 ms

Looking at this traceroute, the first thing I thought was “Why on earth is ABC hosting it’s website in hongkong (or so the traffic has to go via hongkong.)? Immediately reject ABC would do this and I blame TPG’s stupid routing decisions.

Looking at the IP address further http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=125.252.224.73 It looks like it’s hosted in Singapore, and some googling shows akamaitechnologies is the web host for ABC.. ok, so what is going on here?

then I did a little DIGging around on the ABC domain and check this out.

Using Google DNS (8.8.8.8, hosted in America)

; <<>> DiG 9.6.0-APPLE-P2 <<>> www.abc.net.au @8.8.8.8

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16084

;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;www.abc.net.au. IN A

;; ANSWER SECTION:

www.abc.net.au. 882 IN CNAME www.abc.net.au.edgesuite.net.

www.abc.net.au.edgesuite.net. 21581 IN CNAME a1632.g.akamai.net.

a1632.g.akamai.net. 2 IN A 63.150.131.41

a1632.g.akamai.net. 2 IN A 63.150.131.33

;; Query time: 161 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Sun Jul 3 00:37:00 2011

;; MSG SIZE rcvd: 135

And using TPG’s DNS servers (203.12.160.35)

macshell:~ scott$ dig www.abc.net.au @203.12.160.35

 

; <<>> DiG 9.6.0-APPLE-P2 <<>> www.abc.net.au @203.12.160.35

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11673

;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;www.abc.net.au. IN A

 

;; ANSWER SECTION:

www.abc.net.au. 523 IN CNAME www.abc.net.au.edgesuite.net.

www.abc.net.au.edgesuite.net. 12274 IN CNAME a1632.g.akamai.net.

a1632.g.akamai.net. 10 IN A 202.7.177.66

a1632.g.akamai.net. 10 IN A 202.7.177.83

 

;; Query time: 29 msec

;; SERVER: 203.12.160.35#53(203.12.160.35)

;; WHEN: Sun Jul  3 00:38:20 2011

;; MSG SIZE  rcvd: 135

 

So there we go, hosted in Sydney Australia.. So how does the traceroute compare?

macshell:~ scott$ traceroute www.abc.net.au

traceroute: Warning: www.abc.net.au has multiple addresses; using 202.7.177.83

traceroute to a1632.g.akamai.net (202.7.177.83), 64 hops max, 52 byte packets

1  10.1.1.254 (10.1.1.254)  1.711 ms  1.134 ms  1.100 ms

2  * * *

3  202.7.173.17 (202.7.173.17)  27.047 ms  26.072 ms  26.502 ms

4  syd-sot-ken-ak2-83.tpgi.com.au (202.7.177.83)  26.540 ms  26.835 ms  26.540 ms

Different nameservers can be set up to resolve to different addresses based on geographic positioning, in more of a first in best dressed kind of effort.  So if you’re using Google DNS servers (8.8.8.8), it so happens that because this is in America (check out their IP address, CA), then I started getting update servers and the like on DNS that were closest in latency terms to America then Sydney Australia.

Simply by changing from Google DNS servers to my ISP’s, I get healthier latency, and am no longer sending traffic over saturated overseas links.  So how does this compare with ABC iView?  Well, check it out

And when I’m using my own ISP’s DNS

It’s a new year and time to start getting new years resolutions into action. I’ve moved into my new area in the study so I’ve started setting it up how I like.

I’ve put my router in bridge mode (so it just acts as a layer two modem/bridge) and let my router then establish a pppoe session with my ISP and do all the routing with iptables (I’ve got to update my firewall script and services running on the box and post up the how-to’s later on for that.) Now the little crappy d-link thing doesn’t fall over and die when torrenting (the router will do all the routing and torrenting without hogging up entries in the NAT table is always a good thing)

One of my new years resolutions is to digitise everything (and make it reliable to do so) so I don’t have to worry about any paper floating around in my life (I HATE paperwork). To do this, I want to add a few more features in my home network, whilst improving security (especially after my VoIP was hacked a while ago)

I’m splitting my network into ‘trusted’ and ‘not so trusted’ zones. The beauty is because my router now has two nicks, putting a small 8 port switch into the equation will allow me to route traffic between these zones in a nice firewalled way.

I’d generally be lazy and put WPA-PSK security on the access point.

I feel safe doing this, from a zdnet article

All you need to do is use WPA-PSK security with a random alpha-numeric pass-phrase that has a minimum of 10 characters. I estimated that a truly random alpha-numeric 10-character pass-phrase using modern single-core computers will take one thousand PCs working in parallel 500 years to crack

I lol’d a bit where it says “.. you could run WEP (104 bit AKA 128) security, which might take a semi-skilled script kiddy using two PCs in an active attack configuration 10 minutes to break.

At the moment, my wireless is secured by only a 64 bit WEP key (shock horror!) Why? Because I’ve got damn devices like the Nintendo DS sitting on here which I’ve been wasting a bit of time on lately that don’t support WPA.

I could hide my SSID, do MAC filtering and not run DHCP, all that jazz, but the end of the story is that this can all be hacked by people who know what they’re doing (Mac addresses can be spoofed, if you’re using your wireless network then you’re still broadcasting stuff.)

I’m not terribly worried at the moment if someone hacks in, they can steal some of my crappy 1.5Mbit internet, they can print to my printer (have fun). My workstations themselves are to some degree protected, but what about when I build my file server and start storing bank statements, tax file numbers? all that stuff? The more layers of security the better! (I learnt this the hard way, trust me)

As I’ve already said, the way I’m lessening my fear of these security problems is by splitting my network into trusted and not so trusted zones.

User Isolation security means that the wireless clients won’t be able to see each other on the network. I’ll allow traffic too and from certain devices on the trusted network (the printer for instance.) but to gain access to any of my secure boxes (Fileserver, other workstations) then wireless clients will have to first connect through WEP, then establish a secured VPN connection into the trusted zone. With this setup, even if someone breaks into my WiFi, good on them, they get crippled net (I might cripple WiFi net bandwidth to the net, not decided yet) and access to.. well, my printer again *sigh*

Network stack lol!

so, since I had the scare with my Asterisk VoIP box being hacked and a telephone call to Antarctica having being made, I decided to do something about it.

My home network now consists of my D-Link Wireless router being put into Bridge mode, with all services pretty much turned off on the thing.

My internal network is 10.12.0.0/16. I plan to sub-divide up this address space later, but for now, I’m pretty much just keeping it in one big heap until I set up my servers and want to separate them further from the wireless workstations, for this reason though, I’m keeping my setup pretty simple all pretty much in a 10.12.1.0/24 space..

Anyway, I’m doing what I should have done a long, long time ago. I’ve set up iptables to block all traffic (except ICMP for now, and ssh inbound.)

I’m being a bit lighter on resources on this cheap little router (the Fit-PC) so I’m using dnsmasq for DNS and DHCP.

Plans for the future. I want to have a pool of ipv6 addresses that my DHCP server can assign and make them publicly addressable through some ipv6 trunk somewhere. That’d be pretty sick.