I have a server hosted in Zettagrid. I am finding when I go to any clients premises that have a new or recently deployed Telstra cable or NBN plan that I can't access or even ping my Zettagrid public IP. I don't get any issues with standard Telstra ADSL accounts or clients who have been on Telstra cable for ages (appears more prevalent with NBN accounts).
Strangely when I ping the fqdn of my server from the Telstra cable/NBN sites that I have the issue with, the reply address IP is 220.127.116.11 which appears to be a Telstra DNS address??
I'm wondering, is my server on a blacklist, is this something like Telstra Parental Controls blocking my server? How can I resolve this issue?
Was this helpful?
Why would you say a ping test is crap? The first thing it does is test DNS resolution (or your cache) which identified what the issue was, the fact that it gets no response is just a result of the DNS rewrite.
ICMP still has its place on the internet, most security pros block it where it presents a threat (like reconnaissance or covert channels).
You'll find that the browsers themselves are also starting to block access to sites that haven't implemented HTTPS (Google Chrome, especially), so it's not just things like Telstra Broadband Protect that you need to consider in that regard.
Seems this is a common issue with TBP and support staff have no idea what is happening: https://crowdsupport.telstra.com.au/t5/Home-Broadband/DNS-Resolution-Issue/m-p/756245
I attempted to lower my TBP protection which seems to have resulted in the DNS still in place but access to the site unfiltered, via the hijacked IP which I assume is a TBP transparent proxy - this works for ports 80 and 443 but no other service running on the host i.e. IMAP/POP/SMTP (+TLS). At the very least, the TBP proxy must forward non-web protocols rather than block them.
I was contacted by the back-end team who stated the host needs to be considered 'clean' by VirusTotal before access will be unblocked, which is a failure for the service to provide protection without implicitly denying legitimate access. We have no control over the content other customers are hosting on the shared service, that is the nature of shared hosting. This detection is a false positive and in its current state TBP is denying service for all Telstra customers that also utilise such hosting services.
I think some broad assumptions have been made during the TBP design process without consideration of the effect it has on the service provided to customers:
Minimising risk is a balancing act between usability and security, always consider the impact before making design decisions. The intent behind TBP is great but it needs to be supportable and fit for purpose i.e. delivered in a manner that minimises impact to customers and Support need to be able to support it. If there is a likelihood of false positives denying service, TBP should not be applied to all residential customers by default especially when Customer Support have no idea what's going on.
For now I will be informing my customers to use Google DNS or alternatives like Cisco Umbrella until TBP is fit for purpose. It's easier than having TBP disabled and allows them to switch back should they need to.