|
We received a report from a reader that fbi.gov, is not resolving. Sure enough, when I do a nslookup or dig, I do not receive an answer from the authoritative server. $ nslookup fbi.gov Digging a little deeper it appears it may be a problem with a DNSSEC key. If you follow the DNS server chain, it appears to be ok.
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) |
Rick 290 Posts ISC Handler |
| Reply Subscribe |
Nov 11th 2011 7 years ago |
|
LOL, who said those guys were smart enough to operate computer systems anyway :D
|
©TriMoon™ 6 Posts |
| Reply Quote |
Nov 11th 2011 7 years ago |
|
I don't see any problem:
$ dig fbi.gov ns ; <<>> DiG 9.7.3 <<>> fbi.gov ns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53091 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;fbi.gov. IN NS ;; ANSWER SECTION: fbi.gov. 300 IN NS ns1.fbi.gov. fbi.gov. 300 IN NS ns5.fbi.gov. fbi.gov. 300 IN NS ns3.fbi.gov. fbi.gov. 300 IN NS ns2.fbi.gov. fbi.gov. 300 IN NS ns6.fbi.gov. fbi.gov. 300 IN NS ns4.fbi.gov. ;; Query time: 55 msec ;; SERVER: 10.2.5.1#53(10.2.5.1) ;; WHEN: Fri Nov 11 09:41:32 2011 ;; MSG SIZE rcvd: 133 $ dig @ns1.fbi.gov fbi.gov ; <<>> DiG 9.7.3 <<>> @ns1.fbi.gov fbi.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57359 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;fbi.gov. IN A ;; ANSWER SECTION: fbi.gov. 300 IN A 209.251.178.99 ;; AUTHORITY SECTION: fbi.gov. 300 IN NS ns1.fbi.gov. fbi.gov. 300 IN NS ns3.fbi.gov. fbi.gov. 300 IN NS ns6.fbi.gov. fbi.gov. 300 IN NS ns4.fbi.gov. fbi.gov. 300 IN NS ns2.fbi.gov. fbi.gov. 300 IN NS ns5.fbi.gov. ;; ADDITIONAL SECTION: ns1.fbi.gov. 300 IN A 156.154.100.27 ns2.fbi.gov. 300 IN A 156.154.101.27 ns3.fbi.gov. 300 IN A 156.154.102.27 ns4.fbi.gov. 300 IN A 156.154.103.27 ns5.fbi.gov. 300 IN A 156.154.104.27 ns6.fbi.gov. 300 IN A 156.154.105.27 ;; Query time: 78 msec ;; SERVER: 156.154.100.27#53(156.154.100.27) ;; WHEN: Fri Nov 11 09:41:47 2011 ;; MSG SIZE rcvd: 245 $ dig @ns2.fbi.gov fbi.gov ; <<>> DiG 9.7.3 <<>> @ns2.fbi.gov fbi.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60768 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;fbi.gov. IN A ;; ANSWER SECTION: fbi.gov. 300 IN A 209.251.178.99 ;; AUTHORITY SECTION: fbi.gov. 300 IN NS ns3.fbi.gov. fbi.gov. 300 IN NS ns1.fbi.gov. fbi.gov. 300 IN NS ns5.fbi.gov. fbi.gov. 300 IN NS ns2.fbi.gov. fbi.gov. 300 IN NS ns4.fbi.gov. fbi.gov. 300 IN NS ns6.fbi.gov. ;; ADDITIONAL SECTION: ns1.fbi.gov. 300 IN A 156.154.100.27 ns2.fbi.gov. 300 IN A 156.154.101.27 ns3.fbi.gov. 300 IN A 156.154.102.27 ns4.fbi.gov. 300 IN A 156.154.103.27 ns5.fbi.gov. 300 IN A 156.154.104.27 ns6.fbi.gov. 300 IN A 156.154.105.27 ;; Query time: 259 msec ;; SERVER: 156.154.101.27#53(156.154.101.27) ;; WHEN: Fri Nov 11 09:42:02 2011 ;; MSG SIZE rcvd: 245 $ dig @ns3.fbi.gov fbi.gov ; <<>> DiG 9.7.3 <<>> @ns3.fbi.gov fbi.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12085 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;fbi.gov. IN A ;; ANSWER SECTION: fbi.gov. 300 IN A 209.251.178.99 ;; AUTHORITY SECTION: fbi.gov. 300 IN NS ns5.fbi.gov. fbi.gov. 300 IN NS ns6.fbi.gov. fbi.gov. 300 IN NS ns4.fbi.gov. fbi.gov. 300 IN NS ns2.fbi.gov. fbi.gov. 300 IN NS ns1.fbi.gov. fbi.gov. 300 IN NS ns3.fbi.gov. ;; ADDITIONAL SECTION: ns1.fbi.gov. 300 IN A 156.154.100.27 ns2.fbi.gov. 300 IN A 156.154.101.27 ns3.fbi.gov. 300 IN A 156.154.102.27 ns4.fbi.gov. 300 IN A 156.154.103.27 ns5.fbi.gov. 300 IN A 156.154.104.27 ns6.fbi.gov. 300 IN A 156.154.105.27 ;; Query time: 83 msec ;; SERVER: 156.154.102.27#53(156.154.102.27) ;; WHEN: Fri Nov 11 09:42:05 2011 ;; MSG SIZE rcvd: 245 $ dig @ns4.fbi.gov fbi.gov ; <<>> DiG 9.7.3 <<>> @ns4.fbi.gov fbi.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60738 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;fbi.gov. IN A ;; ANSWER SECTION: fbi.gov. 300 IN A 209.251.178.99 ;; AUTHORITY SECTION: fbi.gov. 300 IN NS ns6.fbi.gov. fbi.gov. 300 IN NS ns4.fbi.gov. fbi.gov. 300 IN NS ns2.fbi.gov. fbi.gov. 300 IN NS ns3.fbi.gov. fbi.gov. 300 IN NS ns1.fbi.gov. fbi.gov. 300 IN NS ns5.fbi.gov. ;; ADDITIONAL SECTION: ns1.fbi.gov. 300 IN A 156.154.100.27 ns2.fbi.gov. 300 IN A 156.154.101.27 ns3.fbi.gov. 300 IN A 156.154.102.27 ns4.fbi.gov. 300 IN A 156.154.103.27 ns5.fbi.gov. 300 IN A 156.154.104.27 ns6.fbi.gov. 300 IN A 156.154.105.27 ;; Query time: 356 msec ;; SERVER: 156.154.103.27#53(156.154.103.27) ;; WHEN: Fri Nov 11 09:42:09 2011 ;; MSG SIZE rcvd: 245 $ dig @ns5.fbi.gov fbi.gov ; <<>> DiG 9.7.3 <<>> @ns5.fbi.gov fbi.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11557 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;fbi.gov. IN A ;; ANSWER SECTION: fbi.gov. 300 IN A 209.251.178.99 ;; AUTHORITY SECTION: fbi.gov. 300 IN NS ns5.fbi.gov. fbi.gov. 300 IN NS ns4.fbi.gov. fbi.gov. 300 IN NS ns6.fbi.gov. fbi.gov. 300 IN NS ns1.fbi.gov. fbi.gov. 300 IN NS ns3.fbi.gov. fbi.gov. 300 IN NS ns2.fbi.gov. ;; ADDITIONAL SECTION: ns1.fbi.gov. 300 IN A 156.154.100.27 ns2.fbi.gov. 300 IN A 156.154.101.27 ns3.fbi.gov. 300 IN A 156.154.102.27 ns4.fbi.gov. 300 IN A 156.154.103.27 ns5.fbi.gov. 300 IN A 156.154.104.27 ns6.fbi.gov. 300 IN A 156.154.105.27 ;; Query time: 812 msec ;; SERVER: 156.154.104.27#53(156.154.104.27) ;; WHEN: Fri Nov 11 09:42:15 2011 ;; MSG SIZE rcvd: 245 $ dig @ns6.fbi.gov fbi.gov ; <<>> DiG 9.7.3 <<>> @ns6.fbi.gov fbi.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41407 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;fbi.gov. IN A ;; ANSWER SECTION: fbi.gov. 300 IN A 209.251.178.99 ;; AUTHORITY SECTION: fbi.gov. 300 IN NS ns1.fbi.gov. fbi.gov. 300 IN NS ns3.fbi.gov. fbi.gov. 300 IN NS ns4.fbi.gov. fbi.gov. 300 IN NS ns6.fbi.gov. fbi.gov. 300 IN NS ns5.fbi.gov. fbi.gov. 300 IN NS ns2.fbi.gov. ;; ADDITIONAL SECTION: ns1.fbi.gov. 300 IN A 156.154.100.27 ns2.fbi.gov. 300 IN A 156.154.101.27 ns3.fbi.gov. 300 IN A 156.154.102.27 ns4.fbi.gov. 300 IN A 156.154.103.27 ns5.fbi.gov. 300 IN A 156.154.104.27 ns6.fbi.gov. 300 IN A 156.154.105.27 ;; Query time: 164 msec ;; SERVER: 156.154.105.27#53(156.154.105.27) ;; WHEN: Fri Nov 11 09:42:22 2011 ;; MSG SIZE rcvd: 245 |
©TriMoon™ 1 Posts |
| Reply Quote |
Nov 11th 2011 7 years ago |
|
In New York at about 9:20 am the Optimum Online cable network took a major hit. Many segments and main routers still appear to be down. At the same time there were massive delays near the Dallas Fort Worth alterNet backbone region and Sprint to Level III appeared to be severed for a short period as well. These all are no doubt related. Something went snap in BGPville it seems. Perhaps an alternate DNS server for FBI.gov which does not have the correct DNSSEC key was reached during this hiccup. Pure speculation, but possible.
|
Al of Your Data Center 80 Posts |
| Reply Quote |
Nov 11th 2011 7 years ago |
|
I think you're assuming. If nslookup is getting the answer from your local DNS server, then it seems that is non-autoritive.
$nslookup google.com Non-authoritative answer: Name: google.com Addresses: 173.194.64.147 173.194.64.99 173.194.64.103 173.194.64.104 173.194.64.105 173.194.64.106 nslookup sans.edu Non-authoritative answer: Name: sans.edu Address: 204.51.94.213 |
Greg 25 Posts |
| Reply Quote |
Nov 11th 2011 7 years ago |
|
Comcast blocking access to the FBI?
- http://schmeeve.com/2011/11/10/why-is-comcast-blocking-access-to-the-fbi/ Nov 10, 2011 "... 4 known Comcast DNS servers. Three fail... nslookup fbi.gov 75.75.75.75 Server: 75.75.75.75 Address: 75.75.75.75#53 ** server can't find fbi.gov: SERVFAIL ..." . |
Jack 160 Posts |
| Reply Quote |
Nov 12th 2011 7 years ago |
|
Name: www.fbi.gov.c.footprint.net
TTL: 230 (3 minutes) RR type: A Data: 206.33.61.87 209.84.4.105 Returned by: 192.221.106.49, 192.221.69.51, 192.221.76.51, 199.93.44.47, 205.128.69.51, 209.84.2.47, 8.12.213.51 Status: insecure I suspect it has something to do with the fact that they have their CDN with Level3, and thus a CNAME for www FBI nameservers that are signed under dot Gov, can't logically sign for a dot Net TLD. Since they are now running nameservers for that estonian botnet, according to the website, I expect they are on a learning curve. |
Jack 1 Posts |
| Reply Quote |
Nov 12th 2011 7 years ago |
|
The failure was definitely DNSSEC related. The RRSIGs expired, causing validating resolvers (including Comcast's) to fail validation:
http://dnsviz.net/d/fbi.gov/1320991200000000/dnssec/ |
Jack 1 Posts |
| Reply Quote |
Nov 14th 2011 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!
