What's up with fbi.gov DNS?
We received a report from a reader that fbi.gov, is not resolving. Sure enough, when I do a nslookup or dig, I do not receive an answer from the authoritative server.
$ nslookup fbi.gov
Non-authoritative answer:
Name: fbi.gov
Address: 209.251.178.99
Digging a little deeper it appears it may be a problem with a DNSSEC key. If you follow the DNS server chain, it appears to be ok.
Update: We have some indication this is wider than fbi.gov. It appears there was a major Internet outage in the New York area. Most likely fbi.gov switched over to an alternate DNS that didn't have its DNSSec configured correctly. There is no indication that this is due to any kind of attack.
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
Comments
©TriMoon™
Nov 11th 2011
1 decade ago
$ dig fbi.gov ns
; <<>> DiG 9.7.3 <<>> fbi.gov ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53091
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;fbi.gov. IN NS
;; ANSWER SECTION:
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
;; Query time: 55 msec
;; SERVER: 10.2.5.1#53(10.2.5.1)
;; WHEN: Fri Nov 11 09:41:32 2011
;; MSG SIZE rcvd: 133
$ dig @ns1.fbi.gov fbi.gov
; <<>> DiG 9.7.3 <<>> @ns1.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57359
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;fbi.gov. IN A
;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99
;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.
;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27
;; Query time: 78 msec
;; SERVER: 156.154.100.27#53(156.154.100.27)
;; WHEN: Fri Nov 11 09:41:47 2011
;; MSG SIZE rcvd: 245
$ dig @ns2.fbi.gov fbi.gov
; <<>> DiG 9.7.3 <<>> @ns2.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60768
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;fbi.gov. IN A
;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99
;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27
;; Query time: 259 msec
;; SERVER: 156.154.101.27#53(156.154.101.27)
;; WHEN: Fri Nov 11 09:42:02 2011
;; MSG SIZE rcvd: 245
$ dig @ns3.fbi.gov fbi.gov
; <<>> DiG 9.7.3 <<>> @ns3.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12085
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;fbi.gov. IN A
;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99
;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27
;; Query time: 83 msec
;; SERVER: 156.154.102.27#53(156.154.102.27)
;; WHEN: Fri Nov 11 09:42:05 2011
;; MSG SIZE rcvd: 245
$ dig @ns4.fbi.gov fbi.gov
; <<>> DiG 9.7.3 <<>> @ns4.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60738
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;fbi.gov. IN A
;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99
;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.
;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27
;; Query time: 356 msec
;; SERVER: 156.154.103.27#53(156.154.103.27)
;; WHEN: Fri Nov 11 09:42:09 2011
;; MSG SIZE rcvd: 245
$ dig @ns5.fbi.gov fbi.gov
; <<>> DiG 9.7.3 <<>> @ns5.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11557
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;fbi.gov. IN A
;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99
;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27
;; Query time: 812 msec
;; SERVER: 156.154.104.27#53(156.154.104.27)
;; WHEN: Fri Nov 11 09:42:15 2011
;; MSG SIZE rcvd: 245
$ dig @ns6.fbi.gov fbi.gov
; <<>> DiG 9.7.3 <<>> @ns6.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41407
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;fbi.gov. IN A
;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99
;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27
;; Query time: 164 msec
;; SERVER: 156.154.105.27#53(156.154.105.27)
;; WHEN: Fri Nov 11 09:42:22 2011
;; MSG SIZE rcvd: 245
hserna
Nov 11th 2011
1 decade ago
Al of Your Data Center
Nov 11th 2011
1 decade ago
$nslookup google.com
Non-authoritative answer:
Name: google.com
Addresses: 173.194.64.147
173.194.64.99
173.194.64.103
173.194.64.104
173.194.64.105
173.194.64.106
nslookup sans.edu
Non-authoritative answer:
Name: sans.edu
Address: 204.51.94.213
Gregg
Nov 11th 2011
1 decade ago
- http://schmeeve.com/2011/11/10/why-is-comcast-blocking-access-to-the-fbi/
Nov 10, 2011
"... 4 known Comcast DNS servers. Three fail...
nslookup fbi.gov 75.75.75.75
Server: 75.75.75.75
Address: 75.75.75.75#53
** server can't find fbi.gov: SERVFAIL ..."
.
PC.Tech
Nov 12th 2011
1 decade ago
TTL: 230 (3 minutes)
RR type: A
Data: 206.33.61.87
209.84.4.105
Returned by: 192.221.106.49, 192.221.69.51, 192.221.76.51, 199.93.44.47, 205.128.69.51, 209.84.2.47, 8.12.213.51
Status: insecure
I suspect it has something to do with the fact that they have their CDN with Level3, and thus a CNAME for www
FBI nameservers that are signed under dot Gov, can't logically sign for a dot Net TLD. Since they are now running nameservers for that estonian botnet, according to the website, I expect they are on a learning curve.
dinig_phil
Nov 12th 2011
1 decade ago
http://dnsviz.net/d/fbi.gov/1320991200000000/dnssec/
casey
Nov 14th 2011
1 decade ago