First step would be to contact Zettagrid. We can't tell if your server is blacklisted because we have no details about it and therefor can't check. If it was Telstra Parental Controls blocking it, you should be able to tell by the error message.

Many thanks for your reply, I've also opened a ticket with Zettagrid to check their end. I checked my IP against the mxtoolbox blacklist checker, there's no listing of my Zettagrid public IP on it. So, doesn't appear to be a blacklist issue as far as I can tell.

It's just really odd that it only happens on Telstra cable and NBN sites and no other Telstra plans like ADSL or Telstra business plans.

Hi

I have the same issue with a server hosted by Netregistry. I don't know if it is related to Broadband Protect (which I am unable to turn off, only lower the protection) but I have not asked for any kind of filtering or manipulation of DNS traffic on my broadband service, blacklist or no.

This suspiciously started after a change (outage) some customers were notified of last Wednesday.

I have contacted Netregistry, their advice was to speak to Telstra. That was an extremely painful experience being asked to factory reset my modem and saying things like "Telstra do not support DNS" or "we're not trained on it", and if I wanted help I have to pay for premium support.

DNS is a fundamental part of an internet service, customer support need to understand it. Even if it means they can figure out if an issue is related to something like Broadband Protect. Or the NBN change last Wednesday.

Also if I were implementing a DNS hijacking service like this, I would at least host a response page for hijacked requests so my customers know why stuff is not working.

------------------------------------------------

Default Server: mygateway
Address: 10.0.0.138

> cp101.ezyreg.com
Server: mygateway
Address: 10.0.0.138

Non-authoritative answer:
Name: cp101.ezyreg.com
Addresses: 2001:8002:e41:f002::f5ff
61.9.211.50

> server 61.9.211.33
Default Server: dns-cust.cha.bigpond.net.au
Address: 61.9.211.33

> cp101.ezyreg.com
Server: dns-cust.cha.bigpond.net.au
Address: 61.9.211.33

Non-authoritative answer:
Name: cp101.ezyreg.com
Addresses: 2001:8002:e41:f002::f5ff
61.9.211.50

> server 8.8.8.8
Default Server: google-public-dns-a.google.com
Address: 8.8.8.8

> cp101.ezyreg.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
Name: cp101.ezyreg.com
Address: 27.121.64.101

First of all, the ping test is absolute crap - most security conscious IT admins block ICMP nowadays...
Second, unless you are willing to tell as what your site is we cannot do anything about it since we cannot test or investigate it.
Third, mxtoolbox is not a bad site, but did you try to check your site on virustotal? That's site many use as their source of blocking...

@slipmat

You'll find that that's one of Telstra Broadband Protect's web protection proxies getting returned.

Why would you say a ping test is crap? The first thing it does is test DNS resolution (or your cache) which identified what the issue was, the fact that it gets no response is just a result of the DNS rewrite.

 

ICMP still has its place on the internet, most security pros block it where it presents a threat (like reconnaissance or covert channels).

Thanks, I thought so.

How do we get this fixed, other than using Google DNS (and bypassing Broadband Protect)?

The affected fqdn is a shared cPanel host, we have no control over its content. Using it is a dependency for secure IMAP/SMTP, and Broadband Protect is now interfering with our internet service.

Cheers.

You can get in touch with TBP Tech Support (133933 or 13 22 00 and say Security Support) or billing who should be able to remove it off your accoun

I've started implementing SSL/HTTPS on my Zettagrid server for services (over ports 80 and 443). I've also added a PTR/rDNS record for my fqdn. This seems to be having the desired affect and I can now can access some of my resources at the problematic Telstra NBN sites. I've got a few more resources to migrate to SSL/HTTPS, hopefully this works for everything. Perhaps Telstra Broadband Protect is set to block sites it thinks are insecure (not sure)?

You'll find that the browsers themselves are also starting to block access to sites that haven't implemented HTTPS (Google Chrome, especially), so it's not just things like Telstra Broadband Protect that you need to consider in that regard.

Thanks @Yastiandrie

 

Seems this is a common issue with TBP and support staff have no idea what is happening: https://crowdsupport.telstra.com.au/t5/Home-Broadband/DNS-Resolution-Issue/m-p/756245

 

I attempted to lower my TBP protection which seems to have resulted in the DNS still in place but access to the site unfiltered, via the hijacked IP which I assume is a TBP transparent proxy - this works for ports 80 and 443 but no other service running on the host i.e. IMAP/POP/SMTP (+TLS). At the very least, the TBP proxy must forward non-web protocols rather than block them.

 

I was contacted by the back-end team who stated the host needs to be considered 'clean' by VirusTotal before access will be unblocked, which is a failure for the service to provide protection without implicitly denying legitimate access. We have no control over the content other customers are hosting on the shared service, that is the nature of shared hosting. This detection is a false positive and in its current state TBP is denying service for all Telstra customers that also utilise such hosting services.

 

I think some broad assumptions have been made during the TBP design process without consideration of the effect it has on the service provided to customers:

• Using VirusTotal as a sole method to determine a site's disposition
  
  • Both free and paid reputation services are available
• Filtering an entire host based on the above disposition
  • e.g. if http://host/~badcustomer/content/exploit-kit is malicious, don't deny access to http://host/~goodcustomer/content/benign.html
  • This can be challenging for TLS content, is the current implementation fit for purpose??
• Not providing a response for proxied connections to sites deemed malicious, when high protection is enabled
  • Users need to know if and why their traffic is being modified
  • If TBP is blocking access it needs to host a page stating so (again this can be challenging for TLS content)
• Consideration for non-web ports and protocols
  • The internet is more than just websites and browsers, let the other ports through!

Minimising risk is a balancing act between usability and security, always consider the impact before making design decisions. The intent behind TBP is great but it needs to be supportable and fit for purpose i.e. delivered in a manner that minimises impact to customers and Support need to be able to support it. If there is a likelihood of false positives denying service, TBP should not be applied to all residential customers by default especially when Customer Support have no idea what's going on.

 

For now I will be informing my customers to use Google DNS or alternatives like Cisco Umbrella until TBP is fit for purpose. It's easier than having TBP disabled and allows them to switch back should they need to.

 

Thanks again

 

Matt