Results 1 to 12 of 12
  1. #1
    Full Member TLE's Avatar
    Join Date
    January 21st, 2005
    Location
    Southern California
    Posts
    338
    CafePress DNS/Whois Issues
    Thanks Haiko for the supportive words, it was clear all along that CP had removed the thread :-)


    Where We're At

    According to the whois cache at domaintools, CP started using EveryDNS's nameservers for secondary DNS service on 12/23/06, shortly after the occurrence of the DOS issue.

    My assumption is that CP has the objective of using its own DNS servers (ns1.cafepress.com) as the primary nameserver and perhaps ns2.cafepress.com as a secondary ns, although ns2 is currently up but not responding to queries for any domain. EveryDNS is to provide secondary dns services, via its four name servers.


    Issues & Resolutions

    1) Cafepress nameservers are NOT talking to EveryDNS's ns - Serial # disagree



    In summary, except for the first time CP's ns had talked (zone transfer) to EveryDNS's ns, CP's servers has not allowed EveryDNS's servers to retrieve updates from CP's servers.

    The Serial #, in the SOA part of a domain's dns records, is a way to keep track of the "version" of the dns records. For CP's cases, the serial # is incremented by 1 every time a change is detected on CP's servers.

    So, from the current SOA record we can see that CP has changed it's DNS records 33 times (664-631) since it was originally updated to EveryDNS's servers in December, which still shows a serial # of 631.

    Resolution: Just undo whatever was done right after the initial zone transfer. My instinct tells me that CP is running MS DNS, in which case there's a well known DNS issue where CP will have to set there DNS to allow transfer from any host (since MS can't selectively do this for subnets).

    This issue is of primary importance as I do not believe CP realizes the nature of the issue and the simple resolution, and trying out everything else to get this correct will just prolong the agony.


    2) Open DNS Server




    This is very, very bad, especially in light of the marketing message that came out in response to the DOS issue. If CP is serious about preventing/mitigating any DOS attack (much less be a conduit for one) then this should be resolved now.

    Resolution: http://private.dnsstuff.com/info/opendns.htm


    3) Missing/Stealth Nameservers



    Each nameserver listed in your whois should have (rfc2181) a corresponding ns record in your dns records. CP have ns records ns2.cafepress.com, ns2.everydns.net, ns3.everydns.net, & ns4.everydns.net in there dns records but are not listing these servers in the whois. Hence these four serves are/will not receive any query from the public, negating their redundancy.

    Resolution: Add ns2.cafepress.com, ns2.everydns.net, ns3.everydns.net, & ns4.everydns.net as nameservers to CP's whois at netsol.


    4) SOA refresh value



    CP's nameservers is currently configured to update each other every two minutes. It's recommended that this be set at a minimum of 60 minutes. By itself, this is not a major issue, but using EveryDNS's network with this value is considered impolite (although David does break rfc 1034 to accommodate for situation like this).

    Resolution: Set your SOA refresh to 3600 (minimum)

    BTW, with all the redundant fail/save intentions in mind, why not increase the expire to something longer then 1 day, like 21 days? In this case , CafePress.com goes on even if your servers are down for a day.

    Finally, I have been a loyal and satisfied user of EveryDNS for years, so there's more meaning here for me then the usual issues. In all these years, any DNS change on my server are propogated through EveryDNS servers by the fifth minute of the following hour, and this is one of the more incredible piece of realiability I have experienced on the net.

    Tuan

  2. #2
    ABW Ambassador Sheri's Avatar
    Join Date
    February 17th, 2005
    Location
    Kansas
    Posts
    531
    Ok, so help a not-so-tech-savvy girl out here.

    If I have a Cafe Press shop, what does all of this mean?

    Sheri

  3. #3
    Full Member TLE's Avatar
    Join Date
    January 21st, 2005
    Location
    Southern California
    Posts
    338
    (1) was resolved as of noon yesterday and the serial # currently matches at 664.

    2-4 remains, especially 2.

    In addition, ns2.cafepress.com is still not responding to queries and gateway.cafepress.com (CP's email server) has been going down at least once per day over the last few days (w/out a backup email server).

    Tuan

  4. #4
    Troll Killer and best Snooper!
    I decide when the pigs fly!
    Rhea's Avatar
    Join Date
    January 18th, 2005
    Location
    New York, USA
    Posts
    6,195
    Tuan, have you given this info to anyone at CP directly? Coz I don't think anyone from there visits here much.
    Although they SHOULD.

  5. #5
    Full Member TLE's Avatar
    Join Date
    January 21st, 2005
    Location
    Southern California
    Posts
    338
    Hi Rhea,

    No, although I had dinner w/ loxly last nite and thought about bringing it up until I found out she's no longer an employee of CP.

    IMO, they saw/bit on this post with (1) being fixed as the sign. They have been trying to resolve that for awhile now so it may have been coincidental that they'd resolved it within a couple days of my post.

    Tuan

  6. #6
    The slot machine that IS paid! Billy Kay's Avatar
    Join Date
    January 18th, 2005
    Location
    Small Town in Tennessee
    Posts
    5,226
    No, although I had dinner w/ loxly last nite...
    (My son says thanks also Tuan - I owe ya one)

  7. #7
    Full Member TLE's Avatar
    Join Date
    January 21st, 2005
    Location
    Southern California
    Posts
    338
    Nothing owed at all Billy, it was a pleasure for my Wife and I to have had dinner with loxly and your son. Kind of interesting for me as I was 13 when I had emigrated to the States.

    Pictures didn't come out very good but at least you can keep it for posterity.








    Back to the issue at hand, serial # disagrees again, although I have a feeling this will be manually resolved tomorrow.



    Tuan

  8. #8
    http and a telephoto
    Join Date
    January 18th, 2005
    Location
    NYC
    Posts
    17,708
    Quote Originally Posted by TLE
    Hi Rhea,

    No, although I had dinner w/ loxly last nite and thought about bringing it up until I found out she's no longer an employee of CP.
    We had a great time Thank you again and can't wait until you come back to Vegas
    Deborah Carney
    TeamLoxly.com BookGoodies.com ABCsPlus.com

  9. #9
    Full Member TLE's Avatar
    Join Date
    January 21st, 2005
    Location
    Southern California
    Posts
    338
    Thanks Debbie.

    Wendy and I enjoyed your wonderful company. We'll split a rare Chateaubriand next time :-)

    Tuan

  10. #10
    http and a telephoto
    Join Date
    January 18th, 2005
    Location
    NYC
    Posts
    17,708
    It's a deal!!!!!
    Deborah Carney
    TeamLoxly.com BookGoodies.com ABCsPlus.com

  11. #11
    Full Member TLE's Avatar
    Join Date
    January 21st, 2005
    Location
    Southern California
    Posts
    338
    I'd taken this weekend to read through CP's forums and I'm going to take a shot at getting this resolved within the next couple of weeks, less pain for all if it's before the summit. At the least, my observations of the facts and my subjective speculations will be documented, professional courtesies aside.

    In a way, I wish I hadn't seen the original Cafepress gone? thread, since I have very minimal business with CP. On the other hand, there's clearly a large population of CP merchants (mostly individuals) who very much rely on CP to provide for a stable platform along with timely & accurate communications.

    IMO, in regards to the ongoing DNS/whois issue from December, the CP community deserves a higher level of truthfulness and respect from CP's management in their communications.

    To start, CP's posting about the January 8th primary/secondary DNS shuffle:

    "We had some issue with our primary dns provider, causing our site to be unavailable for some users. We caught the issue within 15 minutes and have since resolved this."


    Facts:

    1. CP has two effective DNS server, ns1.cafepress.com & ns1.everydns.net, these are listed on the whois.
    2. ns1.cafepress.com is designated as the primary server, from which the secondary server ns1.everydns.net receives periodic updates. Both servers provide name resolution services for cafepress.com
    3. On 1/8/07, cafepress.com's dns configuration at EveryDNS was changed from secondary to primary name servers, without any information as to what the DNS datas are for the EveryDNS (to be) primary name server. Hence the default/dns "domain not configured" error message from EveryDNS.

    Analysis:

    "We had some issue with our primary dns provider..." is misleading in that the issue was initiated by CafePress by a careless change in CP's configurations at EveryDNS. Below is a screen capture of the admin form at EveryDNS for such a change and someone had just filled in the (basic) box and hit the submit button.




    As an analogy, CP's statement is similar to someone blaming there future landlord for mail being returned from there future home after they had sent in the mail forwarding request to the post office but before the move is made.

    TBC

  12. #12
    Full Member TLE's Avatar
    Join Date
    January 21st, 2005
    Location
    Southern California
    Posts
    338
    I had posted on CP's board earliers this week with a request for them to return to ABW to address these issues.

    The post was removed and Angela L, CP's Community Advocate, wrote me a courteous email with a note that ALL dns/whois issues (including any current issue) are considered part of the pending DDoS investigation, and not open for discussion.

    In response, I had written her this email yesterday:
    Thanks for the run down Angela, I sincerely appreciate it and respectfully disagree with the premise that CP's current Whois/DNS issues are related to the announced December DDoS event.

    IMO, the current incorrect DNS/Whois setup present an immediate & ongoing reliability issue to CP, and completely irrelevant to any possible investigative method of a DDoS incidence.

    Community Advocate, perhaps we have the same objective.

    The CP community deserves a stable & secure platform along with timely and accurate communications. When no communication is possible, then no communication should be made, and not ad-hoc incorrect/misleading communication.

    My only objective is to have the errors on this page cleared out TODAY:
    http://www.dnsreport.com/tools/dnsre...=cafepress.com

    You can either:

    a) Seek more competent help.
    b) Post here http://member.dnsstuff.com/forums/forumdisplay.php?f=6
    c) Implement the solutions I'd outlined at ABW.

    Thanks again for your explanation Angela, it also explains why Warren had deleted my post in regards to CP's Whois transfer to Jordan.

    BTW, I am not a CP affiliate and my CP store balance has been less then $10 for the last 5 years. My motives in pursuing this issue are purely altruistic towards the CP Community.

    Tuan
    On the positive side, issue (4) was resolved after 5PM yesterday:
    DNSreport for cafepress.com generated by www.dnsreport.com at 2007-01-18 02:52:23 GMT.

    The status of DNSreport Test:

    SOA REFRESH value has changed from FAIL to PASS.

    OK. Your SOA REFRESH interval is : 3600 seconds. This seems normal (about 3600-7200 seconds is good if not using DNS NOTIFY; RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours)). This value determines how often secondary/slave nameservers check with the master for updates.
    On the other hand, the major security issue with (2) remains and this will be outlined in my next write up.

    BTW and to note, Serial 664-667 change on ns1.cafepress.com was to take out ns2.cafepress.com, so looks like this server is retiring.

    The current 668 version reflect the change in SOA refresh to conform with the recommended range.

    TBC

  13. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Whois
    By cowcool in forum Midnight Cafe'
    Replies: 9
    Last Post: June 6th, 2004, 02:24 PM
  2. UN-whois
    By java in forum Commission Junction - CJ
    Replies: 1
    Last Post: November 13th, 2001, 03:52 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •