Re: DNS resolution for hhs.gov

[Bjørn Mork <bjorn () mork no>]

Interestingly enough, the company behind this mess decided to sign it:

 bjorn@canardo:~$ dig dhhs.gov @158.74.30.99 +nsid|grep NSID
 ; NSID: 4c 65 69 64 6f 73 20 62 75 69 6c 64 20 57 2e 56 45 52 4e 41 20 32 30 32 33 ("Leidos build W.VERNA 2023")


Guessing this was done by "security professionals" from
https://www.leidos.com/




Bjørn

Mark Andrews <marka () isc org> writes:

> The nameservers are not answering all in scope questions being sent to the servers.  Something is blocking or not 
> generating NXDOMAIN responses.  This impacts on QNAME minimisation queries that usually elicit a NXDOMAIN response.  
> This happens irrespective of DNSSEC records being requested so I doubt that it is a fragmentation issue.
>
> Both _.dhhs.gov <http://dhhs.gov/> and foobar.dhhs.gov <http://foobar.dhhs.gov/> time out but dhhs.gov 
> <http://dhhs.gov/> itself doesn’t.
>
> % dig _.dhhs.gov @158.74.30.103 +dnssec
> ;; communications error to 158.74.30.103#53: timed out
> ;; communications error to 158.74.30.103#53: timed out
> ;; communications error to 158.74.30.103#53: timed out
>
> ; <<>> DiG 9.19.11-dev <<>> _.dhhs.gov @158.74.30.103 +dnssec
> ;; global options: +cmd
> ;; no servers could be reached
>
> % dig dhhs.gov @158.74.30.103 +dnssec
>
> ; <<>> DiG 9.19.11-dev <<>> dhhs.gov @158.74.30.103 +dnssec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18125
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; COOKIE: d939ecfdb6cd2d902678cca26435eb2dd6fcebd65fe5c58f (good)
> ;; QUESTION SECTION:
> ;dhhs.gov. IN A
>
> ;; ANSWER SECTION:
> dhhs.gov. 9000 IN A 52.7.111.176
> dhhs.gov. 9000 IN RRSIG A 8 2 9000 20230416000149 20230410230149 11710 dhhs.gov. 
> YCEsecATdJEHs3OtxQs/kE2A/37/mzgUpGLzQwrPP9xqaGmBq2mDteKx QyUnh0JuURBq0Qy1htxsOD9kX4dxSxUNCEO7/KHw0AOoIbnh2+GL8kc3 
> jKB2jkcN+whA9+CqThto020nLSCXcgdm7qOfyNBUFICoYNtVrd7/lLCJ kho=
> dhhs.gov. 9000 IN RRSIG A 8 2 9000 20230416000149 20230410230149 21469 dhhs.gov. 
> OkEdR/ofhV+JogwAkZtLmHyxn3pK2E4zaGUV786kKbtQrI6SzetCk+sC Db3W0LrYRZy1BEqqxZeRnLXVEjyyyKfnYMRPtoP3sCTLPuuDeu8oDmhw 
> eniXLbJ10od6YWywgQDl2bYrTLEt6R8+TGG7up446TGgRk9wOV/uU2Jb d+U=
>
> ;; Query time: 308 msec
> ;; SERVER: 158.74.30.103#53(158.74.30.103) (UDP)
> ;; WHEN: Wed Apr 12 09:20:13 AEST 2023
> ;; MSG SIZE  rcvd: 417
>
> % dig foobar.dhhs.gov @158.74.30.103 +dnssec
> ;; communications error to 158.74.30.103#53: timed out
> ;; communications error to 158.74.30.103#53: timed out
> ;; communications error to 158.74.30.103#53: timed out
>
> ; <<>> DiG 9.19.11-dev <<>> foobar.dhhs.gov @158.74.30.103 +dnssec
> ;; global options: +cmd
> ;; no servers could be reached
>
> % dig foobar.dhhs.gov @158.74.30.103 
> ;; communications error to 158.74.30.103#53: timed out
> ;; communications error to 158.74.30.103#53: timed out
> ;; communications error to 158.74.30.103#53: timed out
>
> ; <<>> DiG 9.19.11-dev <<>> foobar.dhhs.gov @158.74.30.103
> ;; global options: +cmd
> ;; no servers could be reached
>
> % 
>
> > On 12 Apr 2023, at 01:12, Samuel Jackson <bobin.public () gmail com> wrote:
> >
> > I wanted to run this by everyone to make sure I am not the one losing my mind over this.
> >
> > A dig +trace cob.cms.hhs.gov fails for me as it looks like the NS for hhs.gov does not seem to resolve the hostname.
> >
> > However dig +trace cms.hhs.gov resolves and so does dig +trace eclkc.ohs.acf.hhs.gov
> >
> > However if I simply ask my local resolver to resolve cob.cms.hhs.gov, it works. Any thoughts on why this is the case?
> >
> > Thanks,