Google Public DNS Not Resolving WWW.FBO.GOV

62 views
Skip to first unread message

timoth...@gmail.com

unread,
Jan 3, 2019, 9:05:06 AM1/3/19
to public-dns-discuss
The date and time you encountered the problem: 2 Jan 2019 (all day)

Your location:Reston VA

The platform on which you are noticing the problem (e.g. Mac, Windows, router, etc.): Multiple (Windows 10, MAC, Android, iOS)

The hostname(s) for which you are having a problem:www.fbo.gov

Whether the problem is continuous or intermittent:Continuous

The links to the tools' name server diagnosis report page:https://intodns.com/fbo.gov

The output of the commands you ran in the diagnostic tests:


Alex Dupuy

unread,
Jan 3, 2019, 10:25:13 AM1/3/19
to public-dns-discuss
The FBO's (Federal Business Opportunities aka FedBizOpps) fbo.gov domain has a stale DS record that is breaking their DNSSEC validation: http://dnsviz.net/d/www.fbo.gov/XC4oBA/dnssec/

With the government shutdown, it's unlikely to be fixed soon.

We'll see about putting in a negative trust anchor to temporarily allow this domain to be resolved.

Tim Berry

unread,
Jan 3, 2019, 11:33:07 AM1/3/19
to Alex Dupuy, public-dns-discuss
I wasn't sure if that was it or not, so thanks!  Open DNS seems to resolve it just fine, is that because they're less restrictive?

--
You received this message because you are subscribed to a topic in the Google Groups "public-dns-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/public-dns-discuss/voyFUl5Xg3Y/unsubscribe.
To unsubscribe from this group and all its topics, send an email to public-dns-disc...@googlegroups.com.
To post to this group, send email to public-dn...@googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/3dccbc38-99d0-4cd8-af3d-86a83ced02b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Alex Dupuy

unread,
Jan 3, 2019, 11:37:52 AM1/3/19
to public-dns-discuss
OpenDNS does not validate DNSSEC. Of the other public DNS resolvers that do, Cloudflare and Verisign are returning SERVFAIL, while Quad9 seems to have a negative trust anchor in place. If you're a Comcast customer, you can see what they have done (I suspect they might have an NTA in place too).

; <<>> DiG 9.11.2-P1-1-Debian <<>> +noedns +nostats www.fbo.gov @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25373
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:


; <<>> DiG 9.11.2-P1-1-Debian <<>> +noedns +nostats www.fbo.gov @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59081
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;; ANSWER SECTION:


; <<>> DiG 9.11.2-P1-1-Debian <<>> +noedns +nostats www.fbo.gov @64.6.64.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4800
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

Andrzej Swietek

unread,
Jan 3, 2019, 2:03:34 PM1/3/19
to timoth...@gmail.com, public-dns-discuss
Windows ifconfig or nslookup does not specify time stamp of the dns query, use BIND dns dig tool insteaD!
> </mail/u/0/s/?view=att&th=168140829e56e9ec&attid=0.1&disp=emb&realattid=autoGeneratedInlineImage1&zw&atsh=1>
>
> --
> You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.

> To post to this group, send email to public-dn...@googlegroups.com.
> Visit this group at https://groups.google.com/group/public-dns-discuss.
> To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/b07612c6-b0f0-4144-9850-11c3e470a71d%40googlegroups.com.

timoth...@gmail.com

unread,
Jan 3, 2019, 2:03:39 PM1/3/19
to public-dns-discuss
Got it.  Learning more about DNSSEC through the process.  Validated same with some other public DNS services that do check DNSSEC.  I suspect a lot of them probably have an NTA in place for a LOT of .gov websites!  ;)

I have an open ticket with GSA's Federal Service Desk (fsd.gov) regarding the issue.  I've passed along the screenshots/logs to help them sort it out.  Appreciate the assist and quick response!

Tim Berry

unread,
Jan 3, 2019, 3:10:04 PM1/3/19
to public-dns-discuss
Looks like they've resolved the problem: http://dnsviz.net/d/fbo.gov/dnssec/

--
You received this message because you are subscribed to a topic in the Google Groups "public-dns-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/public-dns-discuss/voyFUl5Xg3Y/unsubscribe.
To unsubscribe from this group and all its topics, send an email to public-dns-disc...@googlegroups.com.

To post to this group, send email to public-dn...@googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
Reply all
Reply to author
Forward
0 new messages