Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: What's up with fbi.gov DNS? SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's up with fbi.gov DNS?

We received a report from a reader that fbi.gov, is not resolving. Sure enough, when I do a nslookup or dig, I do not receive an answer from the authoritative server.

$ nslookup fbi.gov

Non-authoritative answer:
Name:    fbi.gov
Address: 209.251.178.99

Digging a little deeper it appears it may be a problem with a DNSSEC key. If you follow the DNS server chain, it appears to be ok.

 

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

 Rick

294 Posts
ISC Handler
Subscribe Nov 11th 2011
8 years ago
LOL, who said those guys were smart enough to operate computer systems anyway :D
 ©TriMoon™

6 Posts
Quote Nov 11th 2011
8 years ago
I don't see any problem:

$ dig fbi.gov ns

; <<>> DiG 9.7.3 <<>> fbi.gov ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53091
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;fbi.gov. IN NS

;; ANSWER SECTION:
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.

;; Query time: 55 msec
;; SERVER: 10.2.5.1#53(10.2.5.1)
;; WHEN: Fri Nov 11 09:41:32 2011
;; MSG SIZE rcvd: 133

$ dig @ns1.fbi.gov fbi.gov

; <<>> DiG 9.7.3 <<>> @ns1.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57359
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fbi.gov. IN A

;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99

;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.

;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27

;; Query time: 78 msec
;; SERVER: 156.154.100.27#53(156.154.100.27)
;; WHEN: Fri Nov 11 09:41:47 2011
;; MSG SIZE rcvd: 245

$ dig @ns2.fbi.gov fbi.gov

; <<>> DiG 9.7.3 <<>> @ns2.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60768
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fbi.gov. IN A

;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99

;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.

;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27

;; Query time: 259 msec
;; SERVER: 156.154.101.27#53(156.154.101.27)
;; WHEN: Fri Nov 11 09:42:02 2011
;; MSG SIZE rcvd: 245

$ dig @ns3.fbi.gov fbi.gov

; <<>> DiG 9.7.3 <<>> @ns3.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12085
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fbi.gov. IN A

;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99

;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.

;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27

;; Query time: 83 msec
;; SERVER: 156.154.102.27#53(156.154.102.27)
;; WHEN: Fri Nov 11 09:42:05 2011
;; MSG SIZE rcvd: 245

$ dig @ns4.fbi.gov fbi.gov

; <<>> DiG 9.7.3 <<>> @ns4.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60738
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fbi.gov. IN A

;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99

;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.

;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27

;; Query time: 356 msec
;; SERVER: 156.154.103.27#53(156.154.103.27)
;; WHEN: Fri Nov 11 09:42:09 2011
;; MSG SIZE rcvd: 245

$ dig @ns5.fbi.gov fbi.gov

; <<>> DiG 9.7.3 <<>> @ns5.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11557
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fbi.gov. IN A

;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99

;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.

;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27

;; Query time: 812 msec
;; SERVER: 156.154.104.27#53(156.154.104.27)
;; WHEN: Fri Nov 11 09:42:15 2011
;; MSG SIZE rcvd: 245

$ dig @ns6.fbi.gov fbi.gov

; <<>> DiG 9.7.3 <<>> @ns6.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41407
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fbi.gov. IN A

;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99

;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.

;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27

;; Query time: 164 msec
;; SERVER: 156.154.105.27#53(156.154.105.27)
;; WHEN: Fri Nov 11 09:42:22 2011
;; MSG SIZE rcvd: 245

 &copy;TriMoon™
1 Posts
Quote Nov 11th 2011
8 years ago
In New York at about 9:20 am the Optimum Online cable network took a major hit. Many segments and main routers still appear to be down. At the same time there were massive delays near the Dallas Fort Worth alterNet backbone region and Sprint to Level III appeared to be severed for a short period as well. These all are no doubt related. Something went snap in BGPville it seems. Perhaps an alternate DNS server for FBI.gov which does not have the correct DNSSEC key was reached during this hiccup. Pure speculation, but possible.
 Al of Your Data Center

80 Posts
Quote Nov 11th 2011
8 years ago
I think you're assuming. If nslookup is getting the answer from your local DNS server, then it seems that is non-autoritive.

$nslookup google.com
Non-authoritative answer:
Name: google.com
Addresses: 173.194.64.147
173.194.64.99
173.194.64.103
173.194.64.104
173.194.64.105
173.194.64.106

nslookup sans.edu
Non-authoritative answer:
Name: sans.edu
Address: 204.51.94.213
 Greg

25 Posts
Quote Nov 11th 2011
8 years ago
Comcast blocking access to the FBI?
- http://schmeeve.com/2011/11/10/why-is-comcast-blocking-access-to-the-fbi/
Nov 10, 2011
"... 4 known Comcast DNS servers. Three fail...
nslookup fbi.gov 75.75.75.75
Server: 75.75.75.75
Address: 75.75.75.75#53
** server can't find fbi.gov: SERVFAIL ..."
.
 Jack

160 Posts
Quote Nov 12th 2011
8 years ago
Name: www.fbi.gov.c.footprint.net
TTL: 230 (3 minutes)
RR type: A
Data: 206.33.61.87
209.84.4.105
Returned by: 192.221.106.49, 192.221.69.51, 192.221.76.51, 199.93.44.47, 205.128.69.51, 209.84.2.47, 8.12.213.51
Status: insecure

I suspect it has something to do with the fact that they have their CDN with Level3, and thus a CNAME for www

FBI nameservers that are signed under dot Gov, can't logically sign for a dot Net TLD. Since they are now running nameservers for that estonian botnet, according to the website, I expect they are on a learning curve.
 Jack
1 Posts
Quote Nov 12th 2011
8 years ago
The failure was definitely DNSSEC related. The RRSIGs expired, causing validating resolvers (including Comcast's) to fail validation:

http://dnsviz.net/d/fbi.gov/1320991200000000/dnssec/
 Jack
1 Posts
Quote Nov 14th 2011
8 years ago

Sign Up for Free or Log In to start participating in the conversation!