[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNS issue affecting gnu.org (and subdomains)
From: |
Bob Proulx |
Subject: |
Re: DNS issue affecting gnu.org (and subdomains) |
Date: |
Sat, 25 Mar 2023 15:05:44 -0600 |
Eli Zaretskii wrote:
> > Ar Rakin wrote:
> > $ host gnu.org
> > ;; connection timed out; no servers could be reached
> You will find the information here:
>
> https://hostux.social/@fsfstatus
>
> That place is always good to look at when such issues occur.
+1 for the https://hostux.social/@fsfstatus status page. The FSF
sysadmins post information there (sometimes terse) when there are
problems seen that affect systems. It's something everyone should
bookmark where they can find it easily.
> $ host gnu.org 8.8.8.8
> [...]
> Host gnu.org not found: 2(SERVFAIL)
>
> Nope, Google's resolver can't resolve gnu.org either.
The authoritative nameservers (a fancy title for the upstream ones)
are getting DDoS'd off the net. Which means that all resolution by
downstream nameservers, even Google ones, are timing out.
Compounded by the very short 300 second TTL on the gnu.org records
mean that even if a lookup is successful that it can only be cached
for five minutes and then discarded. Upon which then it needs to be
looked up again and the query will have to fight its way through the
DDoS in a mixed martial arts cage fight arena to get the data again.
> How about, making the same queries on a VPS in the US:
>
> $ host gnu.org
> gnu.org has address 209.51.188.116
> gnu.org has IPv6 address 2001:470:142:5::116
> Host gnu.org not found: 2(SERVFAIL)
>
> Hmm, that worked, just, but it was very slow (~ 8 secs).
The nameservers are overwhelmed making them slow to respond. And then
additionally I am seeing a very high packet loss across the network
into the Boston machines. That high packet loss means retries at the
network protocol level making things slow. I have seen 30-45 seconds
on average here looking up DNS for a while.
> $ host gnu.org 8.8.8.8
> [...]
> Host gnu.org not found: 2(SERVFAIL)
>
> Google's resolver fails again.
There is really nothing special about the Google resolver. If the
upstream ns*.gnu.org nameservers can't receive and can't send data
then gnu.org names cannot be resolved.
> I fetch from git.sv.gnu.org every 30 minutes and the fetch beagn to
> fail two days ago (on 23rd March) at around 10pm GMT. It has been
> failing much more often than not since then.
Yes. That's about when the attack started. I assume it is an
attack. That's what sysadmin said about it. I have no special
ability to observe this particular attack and am suffering through the
packet loss of it along with the rest of you.
Bob
Re: DNS issue affecting gnu.org (and subdomains), Sebastian Tennant, 2023/03/26