Interestingly enough, the company behind this mess decided to sign it: bjorn@canardo:~$ dig dhhs.gov @158.74.30.99 +nsid|grep NSID ; NSID: 4c 65 69 64 6f 73 20 62 75 69 6c 64 20 57 2e 56 45 52 4e 41 20 32 30 32 33 ("Leidos build W.VERNA 2023") Guessing this was done by "security professionals" from https://www.leidos.com/ Bjørn Mark Andrews <marka@isc.org> writes:
The nameservers are not answering all in scope questions being sent to the servers. Something is blocking or not generating NXDOMAIN responses. This impacts on QNAME minimisation queries that usually elicit a NXDOMAIN response. This happens irrespective of DNSSEC records being requested so I doubt that it is a fragmentation issue.
Both _.dhhs.gov <http://dhhs.gov/> and foobar.dhhs.gov <http://foobar.dhhs.gov/> time out but dhhs.gov <http://dhhs.gov/> itself doesn’t.
% dig _.dhhs.gov @158.74.30.103 +dnssec ;; communications error to 158.74.30.103#53: timed out ;; communications error to 158.74.30.103#53: timed out ;; communications error to 158.74.30.103#53: timed out
; <<>> DiG 9.19.11-dev <<>> _.dhhs.gov @158.74.30.103 +dnssec ;; global options: +cmd ;; no servers could be reached
% dig dhhs.gov @158.74.30.103 +dnssec
; <<>> DiG 9.19.11-dev <<>> dhhs.gov @158.74.30.103 +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18125 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: d939ecfdb6cd2d902678cca26435eb2dd6fcebd65fe5c58f (good) ;; QUESTION SECTION: ;dhhs.gov. IN A
;; ANSWER SECTION: dhhs.gov. 9000 IN A 52.7.111.176 dhhs.gov. 9000 IN RRSIG A 8 2 9000 20230416000149 20230410230149 11710 dhhs.gov. YCEsecATdJEHs3OtxQs/kE2A/37/mzgUpGLzQwrPP9xqaGmBq2mDteKx QyUnh0JuURBq0Qy1htxsOD9kX4dxSxUNCEO7/KHw0AOoIbnh2+GL8kc3 jKB2jkcN+whA9+CqThto020nLSCXcgdm7qOfyNBUFICoYNtVrd7/lLCJ kho= dhhs.gov. 9000 IN RRSIG A 8 2 9000 20230416000149 20230410230149 21469 dhhs.gov. OkEdR/ofhV+JogwAkZtLmHyxn3pK2E4zaGUV786kKbtQrI6SzetCk+sC Db3W0LrYRZy1BEqqxZeRnLXVEjyyyKfnYMRPtoP3sCTLPuuDeu8oDmhw eniXLbJ10od6YWywgQDl2bYrTLEt6R8+TGG7up446TGgRk9wOV/uU2Jb d+U=
;; Query time: 308 msec ;; SERVER: 158.74.30.103#53(158.74.30.103) (UDP) ;; WHEN: Wed Apr 12 09:20:13 AEST 2023 ;; MSG SIZE rcvd: 417
% dig foobar.dhhs.gov @158.74.30.103 +dnssec ;; communications error to 158.74.30.103#53: timed out ;; communications error to 158.74.30.103#53: timed out ;; communications error to 158.74.30.103#53: timed out
; <<>> DiG 9.19.11-dev <<>> foobar.dhhs.gov @158.74.30.103 +dnssec ;; global options: +cmd ;; no servers could be reached
% dig foobar.dhhs.gov @158.74.30.103 ;; communications error to 158.74.30.103#53: timed out ;; communications error to 158.74.30.103#53: timed out ;; communications error to 158.74.30.103#53: timed out
; <<>> DiG 9.19.11-dev <<>> foobar.dhhs.gov @158.74.30.103 ;; global options: +cmd ;; no servers could be reached
%
On 12 Apr 2023, at 01:12, Samuel Jackson <bobin.public@gmail.com> wrote:
I wanted to run this by everyone to make sure I am not the one losing my mind over this.
A dig +trace cob.cms.hhs.gov fails for me as it looks like the NS for hhs.gov does not seem to resolve the hostname.
However dig +trace cms.hhs.gov resolves and so does dig +trace eclkc.ohs.acf.hhs.gov
However if I simply ask my local resolver to resolve cob.cms.hhs.gov, it works. Any thoughts on why this is the case?
Thanks,