Ziggo Community

alex91

Hello!

I recently faced with a weird DNS resolution issue. It seemed to start after I switched from an old white cable modem to a new black one, but I'm not entirely sure.

My employer has some publicly hosted DNS records that point to their internal network IPs, that I use when connect to VPN. For example, backlog.semrush.net which resolves to 10.101.3.2 (https://who.is/dns/backlog.semrush.net). When I try to resolve it from my home network, I get this

$ nslookup backlog.semrush.net
;; connection timed out; no servers could be reached

When I use any other internet connection (cellphone wifi hotspot, for example), it works fine

$ nslookup backlog.semrush.net
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: backlog.semrush.net
Address: 10.101.3.2

All other domain names resolve fine as well (and the internet connection in general does not have problems). The issue seems to be just with DNS records that point to private networks (10.0.0.0/8).

The DNS servers I use seem to be irrelevant. I tried a dozen (ISP-assigned, 8.8.8.8, 1.1.1.1, 9.9.9.9, and bunch of more obscure ones) but none seem to work.

This used to work before, the only change I made is replaced the modem.

alex91

Thank you all for the suggestions, I appreciate your help!

@tobiastheebeDisabling firewall protection in the modem didn't change anything, unfortunately. It was enabled in the old modem and that didn't cause problems.

@efokyes, that other user seems to have exactly the same problem as I do. I asked a couple of my coworkers who use Ziggo at home, and people with black Sagem modems have the same issue as well.

For now as a workaround I put the domains I use in my local /etc/hosts, but it's not very convenient because our IT-department may move stuff around and change IP addresses without notifying us (well, that's what DNS is for, when it works).

I guess the next thing I try is to setup a local DNS server on my RaspberryPi. But I doubt it would work without encrypting outgoing connections.

Bekijk in context

tobiastheebe

DNS rebind protection may cause this behavior. However, this is usually configured on a DNS forwarder within the LAN, while Ziggo's modem routers distribute public DNS server by DHCP. Also, setting up DNS servers on the local host would circumvent this protection.

Does disabling the eRouter firewall on the modem (temporarily!) make a difference? Firewall settings may be altered on the Advanced settings, Security, Firewall page after logging in to the modem's web interface at 192.168.178.1.

I just attempted resolving the domain on both my PC behind my Ziggo connection (UBC1318ZG in bridge mode + ER-4 w/ dnsmasq, round-robin forwarding to 1.1.1.1 and 8.8.8.8) and an access point behind the Ziggo connection at a different location (via SSH, CH7465LG-ZG in router mode, 'Firewall protection' only, access point statically configured to use 1.1.1.1 and 8.8.8.8). No nslookup issues in both cases.

Karel.

I have a FRITZ!Box 6690 cable as modem/router and a Pihole localy setup as a recusive DNS server. I tried your problem, DNS servers like 1.1.1.1 and 8.8.8.8 can resolve but my Pihole can’t.

pi@Raspi3B:~ $ nslookup backlog.semrush.net 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: backlog.semrush.net
Address: 10.101.3.2

pi@Raspi3B:~ $ nslookup backlog.semrush.net 2606:4700:4700::1111
Server: 2606:4700:4700::1111
Address: 2606:4700:4700::1111#53

Non-authoritative answer:
Name: backlog.semrush.net
Address: 10.101.3.2

pi@Raspi3B:~ $ nslookup backlog.semrush.net 192.168.178.152
Server: 192.168.178.152
Address: 192.168.178.152#53

Non-authoritative answer:
*** Can't find backlog.semrush.net: No answer

pi@Raspi3B:~ $ nslookup backlog.semrush.net
Server: fd00::c390:9896:edce:7a54
Address: fd00::c390:9896:edce:7a54#53

Non-authoritative answer:
*** Can't find backlog.semrush.net: No answer

Results on ziggo DNS servers:

pi@Raspi3B:~ $ nslookup backlog.semrush.net 84.116.46.22
Server: 84.116.46.22
Address: 84.116.46.22#53

Non-authoritative answer:
Name: backlog.semrush.net
Address: 10.101.3.2

pi@Raspi3B:~ $ nslookup backlog.semrush.net 84.116.46.23
Server: 84.116.46.23
Address: 84.116.46.23#53

Non-authoritative answer:
Name: backlog.semrush.net
Address: 10.101.3.2

efok

This is the second case reporting this.
https://community.ziggo.nl/t5/Internet/Resolven-interne-IP-adressen-werkt-niet/m-p/1124703#M191588

I think it needs further investigation. I’ll have a look when I’m at home.

efok

It resolves fine with the Ziggo DNS servers used by my router (with bridged ubee1318)

S4R · 1318ZG in Bridge 172.16.10.41 is Pi-Hole met Unbound 172.16.10.43 is Adguard

1318ZG in Bridge

172.16.10.41 is Pi-Hole met Unbound

172.16.10.43 is Adguard

Karel.

If i commented out private-address: 10.0.0.0/8 in /etc/unbound/unbound.conf.d/pi-hole.conf and by-passes unbound DNS rebind protection then my Pi-hole resolves fine. The issue looks like to caused by the new modem of topic starter.

alex91

Thank you all for the suggestions, I appreciate your help!

@tobiastheebeDisabling firewall protection in the modem didn't change anything, unfortunately. It was enabled in the old modem and that didn't cause problems.

@efokyes, that other user seems to have exactly the same problem as I do. I asked a couple of my coworkers who use Ziggo at home, and people with black Sagem modems have the same issue as well.

For now as a workaround I put the domains I use in my local /etc/hosts, but it's not very convenient because our IT-department may move stuff around and change IP addresses without notifying us (well, that's what DNS is for, when it works).

I guess the next thing I try is to setup a local DNS server on my RaspberryPi. But I doubt it would work without encrypting outgoing connections.

mvgijssel

Running into the exact same issue where the DNS resolution of private IP addresses is timing out. Documented all the steps I took to debug this here https://github.com/mvgijssel/setup/issues/168. It could be dns rebind protection or hairpinning, but it started happening when we got the Sagemcom F3896LG modem.

tobiastheebe

@mvgijssel Since you are using your own router (USG), having the modem configured in bridge mode (by filling out this form, for example) should resolve this issue. Using bridge mode is recommended any way when using a separate router.

mvgijssel

Thanks for the quick reply @tobiastheebe! I thought I already had that setup, nevertheless I'll submit the form and see if this makes a difference and post back here!

tobiastheebe

The screenshots posted to your GitHub issue indicate that the modem is in router mode.

mvgijssel

Ah sweet, then hopefully this change will fix it! Submitted the request for bridge mode, eagerly awaiting what will happen. For now I can stop pulling my hair out 🤣

mvgijssel

Works! Setting the modem in bridge mode now enables me to ping dns names containing private IPs like `lvh.me`! Thanks for all the help @tobiastheebe! ❤️

Ziggo Community

DNS resolution issue, possible filtering?

Uitgelicht topic

Gebruik jij de Ziggo GO TV app? Help mee en test de hogere resolutie

Zoek verder op de Community

Later
Live