From owner-freebsd-questions@FreeBSD.ORG  Mon Apr  1 14:23:20 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id AC0C5F76
 for <freebsd-questions@freebsd.org>; Mon,  1 Apr 2013 14:23:20 +0000 (UTC)
 (envelope-from kudzu@tenebras.com)
Received: from mail-oa0-f48.google.com (mail-oa0-f48.google.com
 [209.85.219.48]) by mx1.freebsd.org (Postfix) with ESMTP id 7C2C3915
 for <freebsd-questions@freebsd.org>; Mon,  1 Apr 2013 14:23:20 +0000 (UTC)
Received: by mail-oa0-f48.google.com with SMTP id j1so2007312oag.35
 for <freebsd-questions@freebsd.org>; Mon, 01 Apr 2013 07:23:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=mime-version:x-received:in-reply-to:references:date:message-id
 :subject:from:to:cc:content-type:x-gm-message-state;
 bh=fJlxuNpVIdrNLpp1yFDvNFujKnOdlPXoWl3mooPvtBw=;
 b=ptxEG16JvctH0dxx4njU0Hdg5myGqAmbv2pg+5zHibHypauSwcCAnYjb6PqJZPeM8Y
 mjZAXOJXbzALc39saQ0swOCc7sbMCUoTFCdW1eX+TKYxb97gxItWQz/4nfk2JO9V9/GR
 VM8Q27rd/jyyTV2pUZ9wOSVk9iB9eV0cv/1g8LMI3fa5gv/XlRFvvXEcb9Q0EAQxBWN9
 xFndXm0QUP4NJ14bxFfiH4tHF0ZUrWpGmpjLmYbADu+WDbbWNCrOdD8+9dvewIDWTli3
 a2OL/nx3+I9F1u/RCwQwFRrlPUTHVKPa4EhaaHpci0LxA2798X6GjxUzfDdjLL8rLkxh
 IyLA==
MIME-Version: 1.0
X-Received: by 10.60.17.35 with SMTP id l3mr1972663oed.135.1364826193927; Mon,
 01 Apr 2013 07:23:13 -0700 (PDT)
Received: by 10.60.92.37 with HTTP; Mon, 1 Apr 2013 07:23:13 -0700 (PDT)
In-Reply-To: <050001ce2eca$894d0240$9be706c0$@com>
References: <049d01ce2e89$c428ab80$4c7a0280$@com>
 <CAHu1Y70GrfKs9QQZDpm2rHXorEwWDebnd2=k5=LbVZLCdfzEJA@mail.gmail.com>
 <04ae01ce2e92$1283bf10$378b3d30$@com>
 <CAHu1Y70Y98ccp6_bRXmz8ZGnYVUFfgD4n=mXrRAgLaoh8Ya2Fg@mail.gmail.com>
 <050001ce2eca$894d0240$9be706c0$@com>
Date: Mon, 1 Apr 2013 07:23:13 -0700
Message-ID: <CAHu1Y714J5o2Xove+ENJiSEojhdqA9gdTkjzXi5+J1YO=NBK4g@mail.gmail.com>
Subject: Re: Problems with IPFW causing failed DNS and FTP sessions
From: Michael Sierchio <kudzu@tenebras.com>
To: "Don O'Neil" <lists@lizardhill.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQnz8pVpWSSU3cyRzdPOEbvJ/Fd1Aa1r4r7eS4M3aGTSg3fRyGuOoBfQgP82h4+TI53ZrpxH
Cc: freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2013 14:23:20 -0000

Okay, what's your DNS setup?  Are you running a recursive cache that
contacts the root servers directly?  Using your ISP's servers?  Etc.

As a mitigation step, I tried pointing my caches to 8.8.8.8 and
8.8.4.4. - but it turns out that Google is intentionally blocking
(returning NX responses to) many netblocks right now because they
contain hosts known to be part of the botnet in the DDOS DNS
amplification attack.

I'm mirroring the root zone everywhere I have a cache, and it's helping.