sales.hpcl.co.in not resolving via 8.8.8.8
72 views
Skip to first unread message
souvikg...@gmail.com
Apr 19, 2019, 9:24:59 AM4/19/19
to public-dns-discuss
We are facing the problem from 18/04/2019 22:00 hrs (+5:30 GMT) in Kolkata India.
The problem observed in Windows platform,
The problem observed in Windows platform,
Website :"sales.hpcl.co.in"
We are facing the problem continuously.
Tool Link: http://dnsviz.net/d/sales.hpcl.co.in/dnssec/
Output in Command test we found are given below:
C:\>nslookup sales.hpcl.co.in 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8
*** google-public-dns-a.google.com can't find sales.hpcl.co.in: Server failed
C:\>nslookup -debug sales.hpcl.co.in 8.8.8.8
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
8.8.8.8.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 8.8.8.8.in-addr.arpa
ttl = 15393 (4 hours 16 mins 33 secs)
------------
Server: google-public-dns-a.google.com
Address: 8.8.8.8
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = SERVFAIL
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
sales.hpcl.co.in, type = A, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = SERVFAIL
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
sales.hpcl.co.in, type = AAAA, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = SERVFAIL
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
sales.hpcl.co.in, type = A, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = SERVFAIL
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
sales.hpcl.co.in, type = AAAA, class = IN
------------
*** google-public-dns-a.google.com can't find sales.hpcl.co.in: Server failed
C:\>nslookup sales.hpcl.co.in 4.2.2.1
Server: a.resolvers.level3.net
Address: 4.2.2.1
Non-authoritative answer:
Name: sales.hpcl.co.in
Addresses: 203.175.185.76
203.175.185.77
C:\>nslookup sales.hpcl.co.in 4.2.2.2
Server: b.resolvers.Level3.net
Address: 4.2.2.2
Non-authoritative answer:
Name: sales.hpcl.co.in
Addresses: 203.175.185.76
203.175.185.77
C:\>nslookup sales.hpcl.co.in 208.67.222.222
Server: resolver1.opendns.com
Address: 208.67.222.222
Non-authoritative answer:
Name: sales.hpcl.co.in
Addresses: 203.175.185.77
203.175.185.76
Alex Dupuy
May 3, 2019, 9:56:04 AM5/3/19
to public-dns-discuss
On Friday, April 19, 2019 at 9:24:59 AM UTC-4, Souvikguha wrote:
We are facing the problem from 18/04/2019 22:00 hrs (+5:30 GMT) in Kolkata India.
The problem observed in Windows platform,Website :"sales.hpcl.co.in"We are facing the problem continuously.Tool Link: http://dnsviz.net/d/sales.hpcl.co.in/dnssec/
The problem is that the DNSSEC configuration of the hpcl.co.in zone, with a 4096-bit RSA-SHA-1 KSK DNSKEY, exceeds the common 1450-1500 byte packet length and is being fragmented, and those fragments are being blocked.
If the domain owners want to increase the security of their DNS zone, they should switch to SHA-256 (DNSKEY algorithm 8) with 2048- or 3072-bit KSKs, which are smaller but more resistant to hash collision attacks.
As a workaround, we will switch all DNS lookups to the name servers for hpcl.co.in to TCP, which will allow us to successfully retrieve the DNSKEYs.
$ dig +nocmd +dnssec DNSKEY hpcl.co.in. @ns1.hpcl.co.in.
;; connection timed out; no servers could be reached
$ dig +tcp +nocmd +dnssec DNSKEY hpcl.co.in. @ns1.hpcl.co.in.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18856
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;; ANSWER SECTION:
hpcl.co.in. 600 IN DNSKEY 257 3 7 AwEAAaE0KiQFWKnOFoApAyBz0AT/OLtzmR0vfo36ATH3JhSU6kdKURBG v9o4otVCE2jfjQbOlYhr6Rpdc4fk8WyWtjFmwW8Fr6CbEer7pj+sOJKs dq5HD3XeW8TG5GGEmqgdkxuqfyK0PuuyGTuPAVtdFlyvOFhUZWjjUgZF vb2c6keoaP81GFhFs4cWXqMc0mU18CAU8Dp9I8TXw6U1Kfr1huA/awqI 1KZKEWwCLVqeap/fR2jQAAnic8DECJ6OY1ORFtjhpMdCIxEfkqG8E8aj 6SWeoZ4zkscAla2xlLv0hZcMI6AXUI3oNWudiLbDLg5biBF7/skk1SBP H/iLGEgV7E/M275JwSaVkPbrU2Kyt9+MCRo1V/gabiMykUHsZQqwX6ck eEwaOKAiiJVhQ4tDvio0MN7Mk88Q/rBxdTwpFEoFVBYYMdhY3xIpx2eL j5yHS+JLyKaSX6DapMP/1QgtQ7ahFzZ/TvSHBzjUV3Jt+lv9i+h/RrTd e4h8uPdEdJXeKoVti5h9eskUAixYO7P0M38bHTblK/AXFyewY+MLzHEJ 3SdLxX5VOogxys7bJ34jh5AJM0KjWRfZwoD50n1bEJCD1PKOP/R9cf9o JpQrztlnbE0XQI8GyVQLR+NqwmriFACluDL7tevPCWV0IYAEQtGqvgHg drWqEbFjQfON/CJz
hpcl.co.in. 600 IN DNSKEY 256 3 7 AwEAAdMVcJsfsjk8FIT692qxGbBYIOlvSxrI+XkfCetsGaMi49JrBiCv Ie+xEmvNuN20+s4TJfLeHY/FgAaSUAKLEDiUPmS2b00zw5DZRnJZGP80 9zaEYizhvjIcqybb0YMQ9jW/YXCzlZdypRtkkFrZcykz+pAfyVAvPFM1 b+kjKpZhfVFBW4wp3QUDwAXEQ8OA3K2+b/paRmK0OzOaiU/3GJVPdPsS 8cbeLPvoUH7bJFnDLdl16o4tcrqN7M+k40B5SmsLULTSYLd599Gey8r6 CQCwPq3uZjIhrsRBlxDZtkN0wn9+Zc101zDU4A3njF4jpjLs5V8KPryz mhF90fvK+tU=
hpcl.co.in. 600 IN RRSIG DNSKEY 7 3 600 20190524090021 20190424090021 16764 hpcl.co.in. fxJ89srygt/CMFQKgCDgcm4i3guqp9bgEUtRrL+kItvUQXIdD/cdan+/ cbZGNozYc6AGoMlCoU9aqh22ODZmAyCzoJrs9W1U2FpmZYgjGIrTQfp6 6VdmWB5oiqWZC/KtbYLyEfmIeKFtylvySxkcDWyslpuEOIcQQlKMtY/q wr83K9G5v0Zpg2zQUU9DTO043f3h2WeWXkSsCrBFKwmW0sUk3BCifk2r MQABoerQy2RYvx/oI1W/Y/W8GGWD28T5kBJEg2o6tRNUpvqO8L/jRdTa ZJLkx1YJ8T7Kar2nytJMRFnduksr/dlvmN+E/2tArO6mzgffxh2BBDLc wFlayume+vqCLwWmZ34kZXbFbzZ9WdcFHD4bjuVLnlU1IWtsoAGuKfQS RwN4QtHrk8I+U2TLhqBpWBv8MAH4IQZicaNWi0yt7JMZu+1GcJ4LI08s 8dhGyITGQQ6rvzMzp5xqAOohHjohOi2b+c7LyHNoaazMCrfAq6NjKd26 dayMgV216qJmfZ6kYcw+ek5wfhnIWZ60o5HXtdoPapqEBIUeof+iKbfE /hwXM/KAvIrOtt85lT4B+Bnlmk6PTBwW1Zvvxux9TtXI3jENzGbpQqFM pQ2Ih7XE+VadNTnkea5MpPCA31d3rq7LmJhQz4EOYqiPPJ5xQzfAfics V7pydXQu5/A=
hpcl.co.in. 600 IN RRSIG DNSKEY 7 3 600 20190524090021 20190424090021 35984 hpcl.co.in. vqI1qtRqo8F47bq3z8Gs/nQFlSI25Lq7MV9SxK+/KDFWKOGVW6SbZeo7 1T0brBzaNAwfVvLziw/e/dYNFLwgzLg9Fxa1SUXasEUu16vLj/w070Iw tyH5FOMron/1mO67WUlpnOVICoQaPaYGdmjNsoQ4jUIHMqjwYPNQOq/M TXSWIzRjnu5rdCPkzZqguAE/dMkGKhxd7barN5RV3LsYDDyF6TdoWeiW BoQf0YkgsbWxZs7txFrUYDl8mwNb30IQNd5k12uEMZA1C6t/xIWYMsVg R1+KlXsxYqh2m4JNzAN9GgONiCb0bG7iqAJo92/7TKCz94lFRAuR6Kxv +T6rfw==
;; Query time: 290 msec
;; SERVER: 203.175.185.210#53(203.175.185.210)
;; WHEN: Fri May 03 09:48:35 EDT 2019
;; MSG SIZE rcvd: 1699
Alex Dupuy
May 3, 2019, 10:01:07 AM5/3/19
to public-dns-discuss
I wrote
If the domain owners want to increase the security of their DNS zone, they should switch to SHA-256 (DNSKEY algorithm 8) with 2048- or 3072-bit KSKs, which are smaller but more resistant to hash collision attacks.
An alternate solution for the domain owners might be to sign the DNSKEY RRSet only with the ZSK, rather than with the ZSK and KSK. That could possibly bring the response size below 1500 bytes and avoid fragmentation.
Reply all
Reply to author
Forward
0 new messages