Bug 213098

Comment 1 Peter Wemm 2016-09-30 19:51:16 UTC

Unfortunately ftp.freebsd.org isn't really meant to be a mirror selector.  It was only really meant to solve the problem where the two project-operated "ftp.freebsd.org" servers were selected at random.

We have had a huge problem with shared 3rd party mirrors over the last few years.  What would often happen is that ftpN.cc.freebsd.org was a cname to a jumbo mirror server at a university and it also carried things like the sourceforge binary uploads directory.  This would cause people like google to blacklist "freebsd.org" for hosting malware - even though it was a 3rd party mirror - eg: "http://ftp4.ie.freebsd.org/pub/SourceForge/m/ma/malware.exe" etc.  You'd get malware warnings for trying to download via chrome / firefox / etc for *all* of freebsd.org until somebody intervened.  There were many secondary effects negative that were tied to the google safebrowsing list - eg: email blacklists, services refused, etc.

As a result, at this time we are unwilling to point "ftp.freebdsd.org" (ftp/http) or "https://download.freebsd.org" to mirrors that are not under project control and we have had to de-list some 3rd party mirrors that cause malware flagging on freebsd.org.

While we probably should use an actual closest-mirror selection system, I don't expect it to be tied to ftp.freebsd.org/download.freebsd.org.  If we did such a thing I would be strongly in favor of having people see the proper names for the servers rather than ftp*.cc.freebsd.org.

pkg.freebsd.org and svn.freebsd.org runs on the same infrastructure as ftp/download.freebsd.org.

Comment 2 Peter Wemm 2016-09-30 19:53:44 UTC

I didn't give an example.  This works: http://ftp.br.freebsd.org/ubuntu-releases/ - I don't mean to pick on ubuntu, but imagine if it's the sourceforge malware site.

Comment 3 Vinícius Zavam 2016-10-04 14:37:08 UTC

(In reply to Peter Wemm from comment #1)

That is really a good point (not to be reported as malware/virus source), but... how odd can it be to use a FreeBSD machine in the U.S. and resolve 'ftp.geo.freebsd.org' to an IP address of a server hosted in Taiwan? We can check it on my first message.

Comment 4 Vinícius Zavam 2016-10-04 15:01:23 UTC

(In reply to Peter Wemm from comment #2)

I did read https://www.freebsd.org/doc/en/articles/hubs/index.html to get more information about how to contribute (again) with FreeBSD on mirroring its FTP server, but it says that "We are not accepting new mirrors at this time". 

Let's say that I can try to 'donate' you a machine in Brazil to host FreeBSD's releases+snapshots, and maybe share the hosting service with only a partial OpenBSD mirror. Would it be helpful, or is it out of question/discussion?

What about mirroring 'pkg.freebsd.org'? Follows the same policy?

Thank you for taking your time to write considerations and give us clear feedback about FreeBSD's geodns solution.

Comment 5 Peter Wemm 2016-10-05 07:21:34 UTC

I was wondering if the source data was erroneous so I did some quick check on one of the machines in question (gns0):  Here's what I see, based on the addresses you provided:

First sample, Brazil:
$ geoiplookup 200.17.32.0
BR, 06, Ceara, Aracoiaba, 62750, -4.490500, -38.677601, 0, 0
$ geoiplookup 201.48.192.0
BR, 27, Sao Paulo, São Paulo, N/A, -23.473301, -46.665798, 0, 0
$ geoiplookup 152.240.0.0
BR, 28, Sergipe, Aracaju, N/A, -10.916700, 0, 0
$ geoiplookup 181.222.128.0
BR, 06, Ceara, Fortaleza, N/A, -3.316700, -41.416698, 0, 0
$ geoiplookup 177.84.60.0
BR, 26, Santa Catarina, Pouso Redondo, 89172, -27.303900, -49.984699, 0, 0

Second, France:
$ geoiplookup 46.105.0.0
FR, N/A, N/A, N/A, N/A, 48.858200, 2.338700, 0, 0

Third, US:
$ geoiplookup 192.241.128.0
US, NY, New York, New York, 10011, 40.742100, -74.001801, 501, 212

I was concerned that the source data might be incorrect but it seems plausible.

However, now that I look at the timing, I am wondering if you encountered a failover scenario.  We were doing openssl patching and taking machines out of the pool.  The lack of connectivity would have caused an alternate to be selected.  I am wondering if both the UK and NY mirrors were offline while you did the test.  Under normal circumstances I would expect the geo-rules to direct Brazil to the NY site, and France to the UK site.

Do you still see queries from that US site resolving to Taiwan?  What do you get when you query the gns*.freebsd.org servers directly?  eg:

$ host ftp.geo.freebsd.org gns0.freebsd.org
ftp.geo.freebsd.org has address 96.47.72.72
ftp.geo.freebsd.org has IPv6 address 2610:1c1:1:606c::15:0

We only give out a 300 second TTL on those records so caching effects should be fairly minimal.

Comment 6 Vinícius Zavam 2016-10-05 15:06:44 UTC

(In reply to Peter Wemm from comment #5)

Date: Wednesday, 5 October 2016 ~ 14:57:29 UTC (GMT)

I did ran the tests on the very same machines, and using the same CIDR mentioned before. It really looks good as you said, and the U.S. hosted machine got 'ftp.geo.freebsd.org' pointing to a NYI's (AS11403) mirror.

* 8.8.178.30 == Yahoo!, AS10310

-- Brazil:
% host ftp.geo.freebsd.org gns0.freebsd.org
Using domain server:
Name: gns0.freebsd.org
Address: 8.8.178.30#53
Aliases: 

ftp.geo.freebsd.org has address 96.47.72.72
ftp.geo.freebsd.org has IPv6 address 2610:1c1:1:606c::15:0
ftp.geo.freebsd.org mail is handled by 0 .

-- France:
$ host ftp.geo.freebsd.org gns0.freebsd.org
Using domain server:
Name: gns0.freebsd.org
Address: 8.8.178.30#53
Aliases:

ftp.geo.freebsd.org has address 213.138.116.78
ftp.geo.freebsd.org has IPv6 address 2001:41c8:112:8300::15:0
ftp.geo.freebsd.org mail is handled by 0 .

-- U.S.:
% host ftp.geo.freebsd.org gns0.freebsd.org
Using domain server:
Name: gns0.freebsd.org
Address: 8.8.178.30#53
Aliases: 

ftp.geo.freebsd.org has address 96.47.72.72
ftp.geo.freebsd.org has IPv6 address 2610:1c1:1:606c::15:0
ftp.geo.freebsd.org mail is handled by 0 .

I was a bit curious, so I also ran the tests over v6 (same CIDR mentioned before).

* 2001:4860:4860::8844 == Google, AS15169
* 2620:0:ccc::2 == OpenDNS, AS36692
* 2804:10:10::20 == IPv6 Internet, AS28299

-- Brazil:
% host ftp.geo.freebsd.org 2620:0:ccc::2
Using domain server:
Name: 2620:0:ccc::2
Address: 2620:0:ccc::2#53
Aliases: 

ftp.geo.freebsd.org has address 96.47.72.72
ftp.geo.freebsd.org has IPv6 address 2610:1c1:1:606c::15:0
ftp.geo.freebsd.org mail is handled by 0 .

% host ftp.geo.freebsd.org 2001:4860:4860::8844
Using domain server:
Name: 2001:4860:4860::8844
Address: 2001:4860:4860::8844#53
Aliases: 

ftp.geo.freebsd.org has address 140.113.168.172
ftp.geo.freebsd.org has IPv6 address 2001:f18:113:fb5d::15:0
ftp.geo.freebsd.org mail is handled by 0 .

% host ftp.geo.freebsd.org 2804:10:10::20
Using domain server:
Name: 2804:10:10::20
Address: 2804:10:10::20#53
Aliases: 

ftp.geo.freebsd.org has address 96.47.72.72
ftp.geo.freebsd.org has IPv6 address 2610:1c1:1:606c::15:0
ftp.geo.freebsd.org mail is handled by 0 .

-- France:
$ host ftp.geo.freebsd.org 2620:0:ccc::2
Using domain server:
Name: 2620:0:ccc::2
Address: 2620:0:ccc::2#53
Aliases:

ftp.geo.freebsd.org has address 96.47.72.72
ftp.geo.freebsd.org has IPv6 address 2001:41c8:112:8300::15:0
ftp.geo.freebsd.org mail is handled by 0 .

$ host ftp.geo.freebsd.org 2001:4860:4860::8844
Using domain server:
Name: 2001:4860:4860::8844
Address: 2001:4860:4860::8844#53
Aliases:

ftp.geo.freebsd.org has address 140.113.168.172
ftp.geo.freebsd.org has IPv6 address 2001:f18:113:fb5d::15:0
ftp.geo.freebsd.org mail is handled by 0 .

-- U.S.:
% host ftp.geo.freebsd.org 2620:0:ccc::2
Using domain server:
Name: 2620:0:ccc::2
Address: 2620:0:ccc::2#53
Aliases:

ftp.geo.freebsd.org has address 96.47.72.72
ftp.geo.freebsd.org has IPv6 address 2610:1c1:1:606c::15:0
ftp.geo.freebsd.org mail is handled by 0 .

% host ftp.geo.freebsd.org 2001:4860:4860::8844
Using domain server:
Name: 2001:4860:4860::8844
Address: 2001:4860:4860::8844#53
Aliases:

ftp.geo.freebsd.org has address 140.113.168.172
ftp.geo.freebsd.org has IPv6 address 2001:f18:113:fb5d::15:0
ftp.geo.freebsd.org mail is handled by 0 .