[Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

[Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

[Robert Bradley]

[-- Attachment #1: Type: text/plain, Size: 5202 bytes --]

I noticed today that attempts to visit www.cloudflare.com and other
subdomains seem to be failing on the latest CeroWRT (3.10.36-4) when
DNSSEC checks are enabled, but not if I query Google DNS directly.

The resulting queries are:

root@cerowrt:~# dig www.cloudflare.com A IN

; <<>> DiG 9.9.4 <<>> www.cloudflare.com A IN
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23776
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.cloudflare.com.            IN      A

;; Query time: 808 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 12 11:04:10 UTC 2014
;; MSG SIZE  rcvd: 47

root@cerowrt:~# dig +adflag www.cloudflare.com A IN

; <<>> DiG 9.9.4 <<>> +adflag www.cloudflare.com A IN
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3689
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.cloudflare.com.            IN      A

;; Query time: 913 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 12 11:04:21 UTC 2014
;; MSG SIZE  rcvd: 47

root@cerowrt:~# dig +cdflag www.cloudflare.com A IN

; <<>> DiG 9.9.4 <<>> +cdflag www.cloudflare.com A IN
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19768
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.cloudflare.com.            IN      A

;; ANSWER SECTION:
www.cloudflare.com.     297     IN      CNAME   www.cloudflare.com.cdn.cloudflare.net.
www.cloudflare.com.cdn.cloudflare.net. 297 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 297 IN A 198.41.212.157
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 297 IN A 198.41.213.157

;; Query time: 22 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 12 11:04:26 UTC 2014
;; MSG SIZE  rcvd: 169

root@cerowrt:~# dig @8.8.8.8 www.cloudflare.com A IN

; <<>> DiG 9.9.4 <<>> @8.8.8.8 www.cloudflare.com A IN
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31488
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.cloudflare.com.            IN      A

;; ANSWER SECTION:
www.cloudflare.com.     84      IN      CNAME   www.cloudflare.com.cdn.cloudflare.net.
www.cloudflare.com.cdn.cloudflare.net. 166 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 166 IN A 198.41.213.157
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 166 IN A 198.41.212.157

;; Query time: 22 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 12 11:04:35 UTC 2014
;; MSG SIZE  rcvd: 169

root@cerowrt:~# dig @8.8.8.8 +adflag www.cloudflare.com A IN

; <<>> DiG 9.9.4 <<>> @8.8.8.8 +adflag www.cloudflare.com A IN
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59486
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.cloudflare.com.            IN      A

;; ANSWER SECTION:
www.cloudflare.com.     77      IN      CNAME   www.cloudflare.com.cdn.cloudflare.net.
www.cloudflare.com.cdn.cloudflare.net. 159 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 159 IN A 198.41.213.157
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 159 IN A 198.41.212.157

;; Query time: 22 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 12 11:04:41 UTC 2014
;; MSG SIZE  rcvd: 169

root@cerowrt:~# dig @8.8.8.8 +cdflag www.cloudflare.com A IN

; <<>> DiG 9.9.4 <<>> @8.8.8.8 +cdflag www.cloudflare.com A IN
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43503
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.cloudflare.com.            IN      A

;; ANSWER SECTION:
www.cloudflare.com.     69      IN      CNAME   www.cloudflare.com.cdn.cloudflare.net.
www.cloudflare.com.cdn.cloudflare.net. 151 IN CNAME cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 151 IN A 198.41.213.157
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. 151 IN A 198.41.212.157

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 12 11:04:48 UTC 2014
;; MSG SIZE  rcvd: 169

root@cerowrt:~#

Can anyone explain why this should be the case?

-- 
Robert Bradley



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 899 bytes --]

Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

[Toke Høiland-Jørgensen]

Robert Bradley <robert.bradley1@gmail.com> writes:

> Can anyone explain why this should be the case?

If you turn on log-queries in the dnsmasq config, you can see the
results of the dnssec validation in the logs which might give a hint :)

-Toke

Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

[Robert Bradley]

[-- Attachment #1: Type: text/plain, Size: 501 bytes --]

On 12/04/2014 12:06, Robert Bradley wrote:
> I noticed today that attempts to visit www.cloudflare.com and other
> subdomains seem to be failing on the latest CeroWRT (3.10.36-4) when
> DNSSEC checks are enabled, but not if I query Google DNS directly.

If it helps, it seems to be an issue with dnssec-check-unsigned again. 
This time though was via Google's DNS.  (Using the Virgin Media DNS
servers, dnssec-check-unsigned kills all DNS as per my previous posts.)

-- 
Robert Bradley



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 899 bytes --]

Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

[Robert Bradley]

[-- Attachment #1: Type: text/plain, Size: 6064 bytes --]

On 12/04/2014 12:11, Toke Høiland-Jørgensen wrote:
> Robert Bradley <robert.bradley1@gmail.com> writes:
>
>> Can anyone explain why this should be the case?
> If you turn on log-queries in the dnsmasq config, you can see the
> results of the dnssec validation in the logs which might give a hint :)
>
> -Toke

OK, with log-queries on I get:

Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: query[A]
www.cloudflare.com from 127.0.0.1
Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: forwarded
www.cloudflare.com to 8.8.4.4
Sat Apr 12 11:41:50 2014 daemon.info dnsmasq[14581]: dnssec-query[DS]
www.cloudflare.com to 8.8.4.4
Sat Apr 12 11:41:51 2014 daemon.info dnsmasq[14581]: forwarded
www.cloudflare.com to 8.8.8.8
Sat Apr 12 11:41:51 2014 daemon.info dnsmasq[14581]: forwarded
www.cloudflare.com to 8.8.4.4
Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply
www.cloudflare.com is BOGUS DS
Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: validation result
is BOGUS
Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply
www.cloudflare.com is <CNAME>
Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply
www.cloudflare.com.cdn.cloudflare.net is <CNAME>
Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net is 198.41.213.157
Sat Apr 12 11:41:52 2014 daemon.info dnsmasq[14581]: reply
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net is 198.41.212.157

Running tcpdump -i ge00 port 53 -v -v -n during a query from Windows 7
nslookup, I see:

11:44:44.884477 IP (tos 0x90, ttl 64, id 16465, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.44272 > 8.8.8.8.53: [udp sum ok] 20890+ [1au] A?
www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47)
11:44:44.884652 IP (tos 0x90, ttl 64, id 26115, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.44272 > 8.8.4.4.53: [udp sum ok] 20890+ [1au] A?
www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47)
11:44:44.904068 IP (tos 0x0, ttl 47, id 47459, offset 0, flags [none],
proto UDP (17), length 197)
    8.8.8.8.53 > 86.1.32.208.44272: [udp sum ok] 20890 q: A?
www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME
www.cloudflare.com.cdn.cloudflare.net.,
www.cloudflare.com.cdn.cloudflare.net. CNAME
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.,
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A
198.41.212.157,
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A
198.41.213.157 ar: . OPT UDPsize=512 OK (169)
11:44:44.904120 IP (tos 0x0, ttl 45, id 57740, offset 0, flags [none],
proto UDP (17), length 197)
    8.8.4.4.53 > 86.1.32.208.44272: [udp sum ok] 20890 q: A?
www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME
www.cloudflare.com.cdn.cloudflare.net.,
www.cloudflare.com.cdn.cloudflare.net. CNAME
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.,
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A
198.41.212.157,
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. A
198.41.213.157 ar: . OPT UDPsize=512 OK (169)
11:44:44.904720 IP (tos 0x90, ttl 64, id 16466, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.60232 > 8.8.8.8.53: [udp sum ok] 43145+ [1au] DS?
www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47)
11:44:45.430963 IP (tos 0x0, ttl 49, id 13829, offset 0, flags [none],
proto UDP (17), length 75)
    8.8.8.8.53 > 86.1.32.208.60232: [udp sum ok] 43145 ServFail q: DS?
www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=512 OK (47)
11:44:45.434094 IP (tos 0x90, ttl 64, id 16467, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.27765 > 8.8.8.8.53: [udp sum ok] 6810+ [1au] AAAA?
www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47)
11:44:45.455145 IP (tos 0x0, ttl 47, id 13830, offset 0, flags [none],
proto UDP (17), length 221)
    8.8.8.8.53 > 86.1.32.208.27765: [udp sum ok] 6810 q: AAAA?
www.cloudflare.com. 4/0/1 www.cloudflare.com. CNAME
www.cloudflare.com.cdn.cloudflare.net.,
www.cloudflare.com.cdn.cloudflare.net. CNAME
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net.,
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. AAAA
2400:cb00:2048:1::c629:d59d,
cf-ssl2463-protected-www.cloudflare.com.cdn.cloudflare.net. AAAA
2400:cb00:2048:1::c629:d49d ar: . OPT UDPsize=512 OK (193)
11:44:45.455845 IP (tos 0x90, ttl 64, id 16468, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.63524 > 8.8.8.8.53: [udp sum ok] 37758+ [1au] DS?
www.cloudflare.com. ar: . OPT UDPsize=4096 OK (47)
11:44:45.895583 IP (tos 0x0, ttl 47, id 16395, offset 0, flags [none],
proto UDP (17), length 75)
    8.8.8.8.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS?
www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=512 OK (47)
11:44:45.896049 IP (tos 0x90, ttl 64, id 26116, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.63524 > 8.8.4.4.53: [udp sum ok] 37758+ [b2&3=0x182]
[1au] DS? www.cloudflare.com. ar: . OPT UDPsize=512 OK (47)
11:44:45.896242 IP (tos 0x90, ttl 64, id 16469, offset 0, flags [DF],
proto UDP (17), length 75)
    86.1.32.208.63524 > 8.8.8.8.53: [udp sum ok] 37758+ [b2&3=0x182]
[1au] DS? www.cloudflare.com. ar: . OPT UDPsize=512 OK (47)
11:44:46.335616 IP (tos 0x0, ttl 46, id 44525, offset 0, flags [none],
proto UDP (17), length 75)
    8.8.4.4.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS?
www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=512 OK (47)
11:44:46.341564 IP (tos 0x0, ttl 47, id 47460, offset 0, flags [none],
proto UDP (17), length 75)
    8.8.8.8.53 > 86.1.32.208.63524: [udp sum ok] 37758 ServFail q: DS?
www.cloudflare.com. 0/0/1 ar: . OPT UDPsize=512 OK (47)

That seems to suggest that it's the DS queries that are failing and that
this is probably not a dnsmasq bug.  Trying Verisign's DNSSEC debugger
(http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com) seems to
suggest that their nameservers refuse requests for DNSKEY records.

-- 
Robert Bradley



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 899 bytes --]

Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

[Toke Høiland-Jørgensen]

Robert Bradley <robert.bradley1@gmail.com> writes:

> That seems to suggest that it's the DS queries that are failing and
> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC
> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com)
> seems to suggest that their nameservers refuse requests for DNSKEY
> records.

I seem to have no problems resolving either cloudfare.com or
cloudfare.net with dnssec validation enabled. But then I might have a
different view of their DNS infrastructure; I'm in Sweden...

You can try running dig with +dnssec +trace to see where in the chain
things go wrong...

-Toke

Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

[Robert Bradley]

[-- Attachment #1: Type: text/plain, Size: 1071 bytes --]

On 12/04/2014 13:02, Toke Høiland-Jørgensen wrote:
> Robert Bradley <robert.bradley1@gmail.com> writes:
>
>> That seems to suggest that it's the DS queries that are failing and
>> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC
>> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com)
>> seems to suggest that their nameservers refuse requests for DNSKEY
>> records.
> I seem to have no problems resolving either cloudfare.com or
> cloudfare.net with dnssec validation enabled. But then I might have a
> different view of their DNS infrastructure; I'm in Sweden...
>
> You can try running dig with +dnssec +trace to see where in the chain
> things go wrong...
>
> -Toke

Using +dnssec +trace returns no errors, but that ends up bypassing both
Google's DNS servers and dnsmasq in favour of going directly to the DNS
root.  It looks like there is some issue with 8.8.8.8 and 8.8.4.4
disliking that particular domain (at least from a UK point of view), but
I am unable to see what it is.

-- 
Robert Bradley



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 899 bytes --]

Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

[Dave Taht]

I tweeted this thread to cloudflare.



On Sat, Apr 12, 2014 at 5:24 AM, Robert Bradley
<robert.bradley1@gmail.com> wrote:
> On 12/04/2014 13:02, Toke Høiland-Jørgensen wrote:
>> Robert Bradley <robert.bradley1@gmail.com> writes:
>>
>>> That seems to suggest that it's the DS queries that are failing and
>>> that this is probably not a dnsmasq bug. Trying Verisign's DNSSEC
>>> debugger (http://dnssec-debugger.verisignlabs.com/blog.cloudflare.com)
>>> seems to suggest that their nameservers refuse requests for DNSKEY
>>> records.
>> I seem to have no problems resolving either cloudfare.com or
>> cloudfare.net with dnssec validation enabled. But then I might have a
>> different view of their DNS infrastructure; I'm in Sweden...
>>
>> You can try running dig with +dnssec +trace to see where in the chain
>> things go wrong...
>>
>> -Toke
>
> Using +dnssec +trace returns no errors, but that ends up bypassing both
> Google's DNS servers and dnsmasq in favour of going directly to the DNS
> root.  It looks like there is some issue with 8.8.8.8 and 8.8.4.4
> disliking that particular domain (at least from a UK point of view), but
> I am unable to see what it is.
>
> --
> Robert Bradley
>
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>



-- 
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

[Michael Richardson]

Did I understand that your dnsmasq is using 8.8.8.8 as it's upstream
forwarder, so your results are filtered through google?

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

[Robert Bradley]

[-- Attachment #1: Type: text/plain, Size: 228 bytes --]

On 12/04/2014 20:07, Michael Richardson wrote:
> Did I understand that your dnsmasq is using 8.8.8.8 as it's upstream
> forwarder, so your results are filtered through google?

Yes, that's right.

-- 
Robert Bradley



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 899 bytes --]

Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

[Michael Richardson]

Robert Bradley <robert.bradley1@gmail.com> wrote:
    >> Did I understand that your dnsmasq is using 8.8.8.8 as it's upstream
    >> forwarder, so your results are filtered through google?

    > Yes, that's right.

I think that there is some interaction between dnsmasq doing DNSSEC, and
Google DNS doing it as well.  Can you try with some other open resolver that
does not do DNSSEC resolution?

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

Re: [Cerowrt-devel] DNSSEC failure for *.cloudflare.com via dnsmasq?

[Robert Bradley]

[-- Attachment #1: Type: text/plain, Size: 3060 bytes --]

On 12/04/2014 21:54, Michael Richardson wrote:
> Robert Bradley <robert.bradley1@gmail.com> wrote:
>     >> Did I understand that your dnsmasq is using 8.8.8.8 as it's upstream
>     >> forwarder, so your results are filtered through google?
>
>     > Yes, that's right.
>
> I think that there is some interaction between dnsmasq doing DNSSEC, and
> Google DNS doing it as well.  Can you try with some other open resolver that
> does not do DNSSEC resolution?

Switching to using 4.2.2.2 seems to work fine.  This may well be limited
to particular networks and servers though given that these are anycast
servers and Cloudflare is a CDN:

root@cerowrt:~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1  *  *  *
 2  leed-core-2a-xe-1121-0.network.virginmedia.net (82.15.94.65)  9.146
ms  6.761 ms  7.251 ms
 3  manc-bb-1d-ae8-0.network.virginmedia.net (213.105.159.249)  7.819
ms  11.558 ms  7.666 ms
 4  manc-bb-2a-ae3-0.network.virginmedia.net (62.254.42.117)  13.453 ms 
49.300 ms  12.830 ms
 5  manc-bb-1c-ae2-0.network.virginmedia.net (62.254.42.114)  7.613 ms 
7.063 ms  7.924 ms
 6  tele-ic-3-ae0-0.network.virginmedia.net (212.43.163.70)  13.606 ms 
13.478 ms  14.151 ms
 7  tele-ic-2-ge-301-0.inet.ntl.com (212.250.14.105)  46.178 ms  51.208
ms  50.896 ms
 8  209.85.244.182 (209.85.244.182)  22.786 ms  209.85.244.184
(209.85.244.184)  14.510 ms  209.85.244.182 (209.85.244.182)  39.937 ms
 9  209.85.253.94 (209.85.253.94)  14.654 ms  209.85.245.2
(209.85.245.2)  19.117 ms  14.333 ms
10  66.249.95.173 (66.249.95.173)  29.301 ms  72.14.242.166
(72.14.242.166)  19.458 ms  20.342 ms
11  72.14.238.217 (72.14.238.217)  53.472 ms  72.14.238.41
(72.14.238.41)  20.340 ms  20.248 ms
12  *  *  *
13  google-public-dns-a.google.com (8.8.8.8)  18.814 ms  19.262 ms 
20.023 ms

root@cerowrt:~# traceroute 4.2.2.2
traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 38 byte packets
 1  *  *  *
 2  leed-core-2a-xe-1121-0.network.virginmedia.net (82.15.94.65)  6.979
ms  6.162 ms  5.474 ms
 3  manc-bb-1d-ae8-0.network.virginmedia.net (213.105.159.249)  6.553
ms  32.480 ms  7.849 ms
 4  manc-bb-2a-ae3-0.network.virginmedia.net (62.254.42.117)  13.485 ms 
13.117 ms  13.461 ms
 5  brhm-bb-2a-ae1-0.network.virginmedia.net (62.254.42.49)  9.660 ms 
9.528 ms  14.095 ms
 6  *  brhm-bb-1c-ae0-0.network.virginmedia.net (62.254.42.110)  9.213 ms  *
 7  213.161.65.149 (213.161.65.149)  14.674 ms  15.765 ms  15.385 ms
 8  4.68.70.77 (4.68.70.77)  15.200 ms  15.055 ms  15.223 ms
 9  vl-3603-ve-227.csw2.London1.Level3.net (4.69.166.153)  13.883 ms 
vl-3504-ve-118.csw1.London1.Level3.net (4.69.166.141)  18.986 ms 
vl-3502-ve-116.csw1.London1.Level3.net (4.69.166.133)  20.304 ms
10  ae-234-3610.edge5.london1.Level3.net (4.69.166.53)  13.229 ms 
ae-124-3510.edge5.london1.Level3.net (4.69.166.37)  18.553 ms 
ae-123-3509.edge5.London1.Level3.net (4.69.166.33)  20.394 ms
11  b.resolvers.Level3.net (4.2.2.2)  14.764 ms  14.026 ms  15.251 ms

-- 
Robert Bradley



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 899 bytes --]