jimmyjames1
Level 2: Rookie

Telstra cable and NBN connections blocking access to hosted server at Zettagrid

Hi Crowdsupport,

 

I have a server hosted in Zettagrid. I am finding when I go to any clients premises that have a new or recently deployed Telstra cable or NBN plan that I can't access or even ping my Zettagrid public IP. I don't get any issues with standard Telstra ADSL accounts or clients who have been on Telstra cable for ages (appears more prevalent with NBN accounts).

 

Strangely when I ping the fqdn of my server from the Telstra cable/NBN sites that I have the issue with, the reply address IP is 61.9.134.114 which appears to be a Telstra DNS address??

 

I'm wondering, is my server on a blacklist, is this something like Telstra Parental Controls blocking my server? How can I resolve this issue?

 

Many thanks,

 

Kind regards

Aaron

 

 

Was this helpful?

  • Yes it was, thank you
  • No, I still need help
11 REPLIES 11
Level 25: The Singularity
Level 25: The Singularity

Re: Telstra cable and NBN connections blocking access to hosted server at Zettagrid

First step would be to contact Zettagrid. We can't tell if your server is blacklisted because we have no details about it and therefor can't check. If it was Telstra Parental Controls blocking it, you should be able to tell by the error message.
Never be afraid to back yourself when trying new things, just always make sure you have 3 escape routes if things go wrong.
jimmyjames1
Level 2: Rookie

Re: Telstra cable and NBN connections blocking access to hosted server at Zettagrid

Many thanks for your reply, I've also opened a ticket with Zettagrid to check their end. I checked my IP against the mxtoolbox blacklist checker, there's no listing of my Zettagrid public IP on it. So, doesn't appear to be a blacklist issue as far as I can tell.

It's just really odd that it only happens on Telstra cable and NBN sites and no other Telstra plans like ADSL or Telstra business plans.
slipmat
Level 3: Gumshoe

Re: Telstra cable and NBN connections blocking access to hosted server at Zettagrid

Hi

I have the same issue with a server hosted by Netregistry. I don't know if it is related to Broadband Protect (which I am unable to turn off, only lower the protection) but I have not asked for any kind of filtering or manipulation of DNS traffic on my broadband service, blacklist or no.

This suspiciously started after a change (outage) some customers were notified of last Wednesday.

I have contacted Netregistry, their advice was to speak to Telstra. That was an extremely painful experience being asked to factory reset my modem and saying things like "Telstra do not support DNS" or "we're not trained on it", and if I wanted help I have to pay for premium support.

DNS is a fundamental part of an internet service, customer support need to understand it. Even if it means they can figure out if an issue is related to something like Broadband Protect. Or the NBN change last Wednesday.

Also if I were implementing a DNS hijacking service like this, I would at least host a response page for hijacked requests so my customers know why stuff is not working.

------------------------------------------------

Default Server: mygateway
Address: 10.0.0.138

> cp101.ezyreg.com
Server: mygateway
Address: 10.0.0.138

Non-authoritative answer:
Name: cp101.ezyreg.com
Addresses: 2001:8002:e41:f002::f5ff
61.9.211.50

> server 61.9.211.33
Default Server: dns-cust.cha.bigpond.net.au
Address: 61.9.211.33

> cp101.ezyreg.com
Server: dns-cust.cha.bigpond.net.au
Address: 61.9.211.33

Non-authoritative answer:
Name: cp101.ezyreg.com
Addresses: 2001:8002:e41:f002::f5ff
61.9.211.50

> server 8.8.8.8
Default Server: google-public-dns-a.google.com
Address: 8.8.8.8

> cp101.ezyreg.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
Name: cp101.ezyreg.com
Address: 27.121.64.101
Level 21: Augmented

Re: Telstra cable and NBN connections blocking access to hosted server at Zettagrid

First of all, the ping test is absolute crap - most security conscious IT admins block ICMP nowadays...
Second, unless you are willing to tell as what your site is we cannot do anything about it since we cannot test or investigate it.
Third, mxtoolbox is not a bad site, but did you try to check your site on virustotal? That's site many use as their source of blocking...
DISCLAIMER: I do not work for Telstra or any other ISP. I never did. I have wealth of practical knowledge in Computer Security and Forensic Computing. I have been in the field since 1985.

Likes (formerly Kudos) and solutions are appreciated!!!
The comments expressed by me reflect my user experience and personal opinion.
Level 24: Supreme Being
Level 24: Supreme Being

Re: Telstra cable and NBN connections blocking access to hosted server at Zettagrid

@slipmat

You'll find that that's one of Telstra Broadband Protect's web protection proxies getting returned.
I am a Premium Services Support Consultant (Telstra Platinum, Telstra Smart Home, Locator/Device Locator and Neto POS). However, I am not an official representative on CrowdSupport.

IT Helpdesk and Technicial Support by Telstra Platinum
Smart Home Automation & Monitoring from Telstra
Helping Australians Find the Things that Matter Most with Telstra Locator
Run a Modern Retail Business with Neto Point of Sale
slipmat
Level 3: Gumshoe

Re: Telstra cable and NBN connections blocking access to hosted server at Zettagrid

Why would you say a ping test is crap? The first thing it does is test DNS resolution (or your cache) which identified what the issue was, the fact that it gets no response is just a result of the DNS rewrite.

 

ICMP still has its place on the internet, most security pros block it where it presents a threat (like reconnaissance or covert channels).

Highlighted
slipmat
Level 3: Gumshoe

Re: Telstra cable and NBN connections blocking access to hosted server at Zettagrid

Thanks, I thought so.

How do we get this fixed, other than using Google DNS (and bypassing Broadband Protect)?

The affected fqdn is a shared cPanel host, we have no control over its content. Using it is a dependency for secure IMAP/SMTP, and Broadband Protect is now interfering with our internet service.

Cheers.
Level 24: Supreme Being
Level 24: Supreme Being

Re: Telstra cable and NBN connections blocking access to hosted server at Zettagrid

You can get in touch with TBP Tech Support (133933 or 13 22 00 and say Security Support) or billing who should be able to remove it off your accoun
I am a Premium Services Support Consultant (Telstra Platinum, Telstra Smart Home, Locator/Device Locator and Neto POS). However, I am not an official representative on CrowdSupport.

IT Helpdesk and Technicial Support by Telstra Platinum
Smart Home Automation & Monitoring from Telstra
Helping Australians Find the Things that Matter Most with Telstra Locator
Run a Modern Retail Business with Neto Point of Sale
jimmyjames1
Level 2: Rookie

Re: Telstra cable and NBN connections blocking access to hosted server at Zettagrid

I've started implementing SSL/HTTPS on my Zettagrid server for services (over ports 80 and 443). I've also added a PTR/rDNS record for my fqdn. This seems to be having the desired affect and I can now can access some of my resources at the problematic Telstra NBN sites. I've got a few more resources to migrate to SSL/HTTPS, hopefully this works for everything. Perhaps Telstra Broadband Protect is set to block sites it thinks are insecure (not sure)?
Level 25: The Singularity
Level 25: The Singularity

Re: Telstra cable and NBN connections blocking access to hosted server at Zettagrid

You'll find that the browsers themselves are also starting to block access to sites that haven't implemented HTTPS (Google Chrome, especially), so it's not just things like Telstra Broadband Protect that you need to consider in that regard.

Never be afraid to back yourself when trying new things, just always make sure you have 3 escape routes if things go wrong.
slipmat
Level 3: Gumshoe

Re: Telstra cable and NBN connections blocking access to hosted server at Zettagrid

Thanks @Yastiandrie

 

Seems this is a common issue with TBP and support staff have no idea what is happening: https://crowdsupport.telstra.com.au/t5/Home-Broadband/DNS-Resolution-Issue/m-p/756245

 

I attempted to lower my TBP protection which seems to have resulted in the DNS still in place but access to the site unfiltered, via the hijacked IP which I assume is a TBP transparent proxy - this works for ports 80 and 443 but no other service running on the host i.e. IMAP/POP/SMTP (+TLS). At the very least, the TBP proxy must forward non-web protocols rather than block them.

 

I was contacted by the back-end team who stated the host needs to be considered 'clean' by VirusTotal before access will be unblocked, which is a failure for the service to provide protection without implicitly denying legitimate access. We have no control over the content other customers are hosting on the shared service, that is the nature of shared hosting. This detection is a false positive and in its current state TBP is denying service for all Telstra customers that also utilise such hosting services.

 

I think some broad assumptions have been made during the TBP design process without consideration of the effect it has on the service provided to customers:

  • Using VirusTotal as a sole method to determine a site's disposition
    • Both free and paid reputation services are available
  • Filtering an entire host based on the above disposition
    • e.g. if http://host/~badcustomer/content/exploit-kit is malicious, don't deny access to http://host/~goodcustomer/content/benign.html
    • This can be challenging for TLS content, is the current implementation fit for purpose??
  • Not providing a response for proxied connections to sites deemed malicious, when high protection is enabled
    • Users need to know if and why their traffic is being modified
    • If TBP is blocking access it needs to host a page stating so (again this can be challenging for TLS content)
  • Consideration for non-web ports and protocols
    • The internet is more than just websites and browsers, let the other ports through!

Minimising risk is a balancing act between usability and security, always consider the impact before making design decisions. The intent behind TBP is great but it needs to be supportable and fit for purpose i.e. delivered in a manner that minimises impact to customers and Support need to be able to support it. If there is a likelihood of false positives denying service, TBP should not be applied to all residential customers by default especially when Customer Support have no idea what's going on.

 

For now I will be informing my customers to use Google DNS or alternatives like Cisco Umbrella until TBP is fit for purpose. It's easier than having TBP disabled and allows them to switch back should they need to.

 

Thanks again

 

Matt

Telstra 24x7®

Manage your business services on your mobile with the Telstra 24x7® App

Find out more
Find out more about the Telstra 24x7 App ×
Manage your services and take advantage of offers while you’re out and about with the Telstra 24x7® App Download now
Earn points on our new rewards program and enjoy tier benefits like discounted movie tickets and moreFind out more

Need a hand or want to share your expertise?
Register for CrowdSupport and get involved

Register now