What's up with fbi.gov DNS?

Published: 2011-11-11. Last Updated: 2011-11-11 16:49:30 UTC
by Rick Wanner (Version: 2)
7 comment(s)

We received a report from a reader that fbi.gov, is not resolving. Sure enough, when I do a nslookup or dig, I do not receive an answer from the authoritative server.

$ nslookup fbi.gov

Non-authoritative answer:
Name:    fbi.gov
Address: 209.251.178.99

Digging a little deeper it appears it may be a problem with a DNSSEC key. If you follow the DNS server chain, it appears to be ok.

 Update: We have some indication this is wider than fbi.gov.  It appears there was a  major Internet outage in the New York area.  Most likely fbi.gov switched over to an alternate DNS that didn't have its DNSSec configured correctly.  There is no indication that this is due to any kind of attack.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: dns fbigov
7 comment(s)

Comments

LOL, who said those guys were smart enough to operate computer systems anyway :D
I don't see any problem:

$ dig fbi.gov ns

; <<>> DiG 9.7.3 <<>> fbi.gov ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53091
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;fbi.gov. IN NS

;; ANSWER SECTION:
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.

;; Query time: 55 msec
;; SERVER: 10.2.5.1#53(10.2.5.1)
;; WHEN: Fri Nov 11 09:41:32 2011
;; MSG SIZE rcvd: 133

$ dig @ns1.fbi.gov fbi.gov

; <<>> DiG 9.7.3 <<>> @ns1.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57359
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fbi.gov. IN A

;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99

;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.

;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27

;; Query time: 78 msec
;; SERVER: 156.154.100.27#53(156.154.100.27)
;; WHEN: Fri Nov 11 09:41:47 2011
;; MSG SIZE rcvd: 245

$ dig @ns2.fbi.gov fbi.gov

; <<>> DiG 9.7.3 <<>> @ns2.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60768
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fbi.gov. IN A

;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99

;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.

;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27

;; Query time: 259 msec
;; SERVER: 156.154.101.27#53(156.154.101.27)
;; WHEN: Fri Nov 11 09:42:02 2011
;; MSG SIZE rcvd: 245

$ dig @ns3.fbi.gov fbi.gov

; <<>> DiG 9.7.3 <<>> @ns3.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12085
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fbi.gov. IN A

;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99

;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.

;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27

;; Query time: 83 msec
;; SERVER: 156.154.102.27#53(156.154.102.27)
;; WHEN: Fri Nov 11 09:42:05 2011
;; MSG SIZE rcvd: 245

$ dig @ns4.fbi.gov fbi.gov

; <<>> DiG 9.7.3 <<>> @ns4.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60738
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fbi.gov. IN A

;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99

;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.

;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27

;; Query time: 356 msec
;; SERVER: 156.154.103.27#53(156.154.103.27)
;; WHEN: Fri Nov 11 09:42:09 2011
;; MSG SIZE rcvd: 245

$ dig @ns5.fbi.gov fbi.gov

; <<>> DiG 9.7.3 <<>> @ns5.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11557
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fbi.gov. IN A

;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99

;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.

;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27

;; Query time: 812 msec
;; SERVER: 156.154.104.27#53(156.154.104.27)
;; WHEN: Fri Nov 11 09:42:15 2011
;; MSG SIZE rcvd: 245

$ dig @ns6.fbi.gov fbi.gov

; <<>> DiG 9.7.3 <<>> @ns6.fbi.gov fbi.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41407
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fbi.gov. IN A

;; ANSWER SECTION:
fbi.gov. 300 IN A 209.251.178.99

;; AUTHORITY SECTION:
fbi.gov. 300 IN NS ns1.fbi.gov.
fbi.gov. 300 IN NS ns3.fbi.gov.
fbi.gov. 300 IN NS ns4.fbi.gov.
fbi.gov. 300 IN NS ns6.fbi.gov.
fbi.gov. 300 IN NS ns5.fbi.gov.
fbi.gov. 300 IN NS ns2.fbi.gov.

;; ADDITIONAL SECTION:
ns1.fbi.gov. 300 IN A 156.154.100.27
ns2.fbi.gov. 300 IN A 156.154.101.27
ns3.fbi.gov. 300 IN A 156.154.102.27
ns4.fbi.gov. 300 IN A 156.154.103.27
ns5.fbi.gov. 300 IN A 156.154.104.27
ns6.fbi.gov. 300 IN A 156.154.105.27

;; Query time: 164 msec
;; SERVER: 156.154.105.27#53(156.154.105.27)
;; WHEN: Fri Nov 11 09:42:22 2011
;; MSG SIZE rcvd: 245

In New York at about 9:20 am the Optimum Online cable network took a major hit. Many segments and main routers still appear to be down. At the same time there were massive delays near the Dallas Fort Worth alterNet backbone region and Sprint to Level III appeared to be severed for a short period as well. These all are no doubt related. Something went snap in BGPville it seems. Perhaps an alternate DNS server for FBI.gov which does not have the correct DNSSEC key was reached during this hiccup. Pure speculation, but possible.
I think you're assuming. If nslookup is getting the answer from your local DNS server, then it seems that is non-autoritive.

$nslookup google.com
Non-authoritative answer:
Name: google.com
Addresses: 173.194.64.147
173.194.64.99
173.194.64.103
173.194.64.104
173.194.64.105
173.194.64.106

nslookup sans.edu
Non-authoritative answer:
Name: sans.edu
Address: 204.51.94.213
Comcast blocking access to the FBI?
- http://schmeeve.com/2011/11/10/why-is-comcast-blocking-access-to-the-fbi/
Nov 10, 2011
"... 4 known Comcast DNS servers. Three fail...
nslookup fbi.gov 75.75.75.75
Server: 75.75.75.75
Address: 75.75.75.75#53
** server can't find fbi.gov: SERVFAIL ..."
.
Name: www.fbi.gov.c.footprint.net
TTL: 230 (3 minutes)
RR type: A
Data: 206.33.61.87
209.84.4.105
Returned by: 192.221.106.49, 192.221.69.51, 192.221.76.51, 199.93.44.47, 205.128.69.51, 209.84.2.47, 8.12.213.51
Status: insecure

I suspect it has something to do with the fact that they have their CDN with Level3, and thus a CNAME for www

FBI nameservers that are signed under dot Gov, can't logically sign for a dot Net TLD. Since they are now running nameservers for that estonian botnet, according to the website, I expect they are on a learning curve.
The failure was definitely DNSSEC related. The RRSIGs expired, causing validating resolvers (including Comcast's) to fail validation:

http://dnsviz.net/d/fbi.gov/1320991200000000/dnssec/

Diary Archives