Interestingly enough, the company behind this mess decided to sign it:
bjorn@canardo:~$ dig dhhs.gov @158.74.30.99 +nsid|grep NSID
; NSID: 4c 65 69 64 6f 73 20 62 75 69 6c 64 20 57 2e 56 45 52 4e 41 20 32 30
32 33 ("Leidos build W.VERNA 2023")
Guessing this was done by "security professionals" from
https://www.leidos.com/
Bjørn
Mark Andrews <[email protected]> writes:
> The nameservers are not answering all in scope questions being sent to the
> servers. Something is blocking or not generating NXDOMAIN responses. This
> impacts on QNAME minimisation queries that usually elicit a NXDOMAIN
> response. This happens irrespective of DNSSEC records being requested so I
> doubt that it is a fragmentation issue.
>
> Both _.dhhs.gov <http://dhhs.gov/> and foobar.dhhs.gov
> <http://foobar.dhhs.gov/> time out but dhhs.gov <http://dhhs.gov/> itself
> doesn’t.
>
> % dig _.dhhs.gov @158.74.30.103 +dnssec
> ;; communications error to 158.74.30.103#53: timed out
> ;; communications error to 158.74.30.103#53: timed out
> ;; communications error to 158.74.30.103#53: timed out
>
> ; <<>> DiG 9.19.11-dev <<>> _.dhhs.gov @158.74.30.103 +dnssec
> ;; global options: +cmd
> ;; no servers could be reached
>
> % dig dhhs.gov @158.74.30.103 +dnssec
>
> ; <<>> DiG 9.19.11-dev <<>> dhhs.gov @158.74.30.103 +dnssec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18125
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; COOKIE: d939ecfdb6cd2d902678cca26435eb2dd6fcebd65fe5c58f (good)
> ;; QUESTION SECTION:
> ;dhhs.gov. IN A
>
> ;; ANSWER SECTION:
> dhhs.gov. 9000 IN A 52.7.111.176
> dhhs.gov. 9000 IN RRSIG A 8 2 9000 20230416000149 20230410230149 11710
> dhhs.gov. YCEsecATdJEHs3OtxQs/kE2A/37/mzgUpGLzQwrPP9xqaGmBq2mDteKx
> QyUnh0JuURBq0Qy1htxsOD9kX4dxSxUNCEO7/KHw0AOoIbnh2+GL8kc3
> jKB2jkcN+whA9+CqThto020nLSCXcgdm7qOfyNBUFICoYNtVrd7/lLCJ kho=
> dhhs.gov. 9000 IN RRSIG A 8 2 9000 20230416000149 20230410230149 21469
> dhhs.gov. OkEdR/ofhV+JogwAkZtLmHyxn3pK2E4zaGUV786kKbtQrI6SzetCk+sC
> Db3W0LrYRZy1BEqqxZeRnLXVEjyyyKfnYMRPtoP3sCTLPuuDeu8oDmhw
> eniXLbJ10od6YWywgQDl2bYrTLEt6R8+TGG7up446TGgRk9wOV/uU2Jb d+U=
>
> ;; Query time: 308 msec
> ;; SERVER: 158.74.30.103#53(158.74.30.103) (UDP)
> ;; WHEN: Wed Apr 12 09:20:13 AEST 2023
> ;; MSG SIZE rcvd: 417
>
> % dig foobar.dhhs.gov @158.74.30.103 +dnssec
> ;; communications error to 158.74.30.103#53: timed out
> ;; communications error to 158.74.30.103#53: timed out
> ;; communications error to 158.74.30.103#53: timed out
>
> ; <<>> DiG 9.19.11-dev <<>> foobar.dhhs.gov @158.74.30.103 +dnssec
> ;; global options: +cmd
> ;; no servers could be reached
>
> % dig foobar.dhhs.gov @158.74.30.103
> ;; communications error to 158.74.30.103#53: timed out
> ;; communications error to 158.74.30.103#53: timed out
> ;; communications error to 158.74.30.103#53: timed out
>
> ; <<>> DiG 9.19.11-dev <<>> foobar.dhhs.gov @158.74.30.103
> ;; global options: +cmd
> ;; no servers could be reached
>
> %
>
>> On 12 Apr 2023, at 01:12, Samuel Jackson <[email protected]> wrote:
>>
>> I wanted to run this by everyone to make sure I am not the one losing my
>> mind over this.
>>
>> A dig +trace cob.cms.hhs.gov fails for me as it looks like the NS for
>> hhs.gov does not seem to resolve the hostname.
>>
>> However dig +trace cms.hhs.gov resolves and so does dig +trace
>> eclkc.ohs.acf.hhs.gov
>>
>> However if I simply ask my local resolver to resolve cob.cms.hhs.gov, it
>> works. Any thoughts on why this is the case?
>>
>> Thanks,
>>
