Insanely weird issue with DNS resolution to www.cdc.gov

johnpoz

@gertjan Not sure about all that.. I just looked and I am seeing warnings with www.irs.gov, but not with just irs.gov

stompro

Hello, we just ran into this today.

Unbound as a forwarder using OpenDNS (Cisco Umbrella DNS Essentials subscription).

I don't see any red errors on the https://dnsviz.net/d/www.cdc.gov/dnssec/ site.

Thanks for all the resources here for figuring out how to bypass the errors. The 'domain-insecure: "cdc.gov"' bypass seems to work for us also.

I'll send a note to the CDC IT contact that popped up in this thread.

Josh

johnpoz

@stompro said in Insanely weird issue with DNS resolution to www.cdc.gov:

www.cdc.gov

I still show that domain a mess from dnssec point of view..

Unbound as a forwarder using OpenDNS

If your forwarding with unbound, you should not have dnssec checked. Where you forward to does dnssec or it doesn't.. That checkmark telling unbound to do dnssec isn't going to do anything other than problems...

stompro

I wasn't sure if warnings were a problem or not. Some of the other screenshots were filled with red errors... which is what I though the real problem was.

@johnpoz said in Insanely weird issue with DNS resolution to www.cdc.gov:

If your forwarding with unbound, you should not have dnssec checked. Where you forward to does dnssec or it doesn't.. That checkmark telling unbound to do dnssec isn't going to do anything other than problems...

Thank you for saying this again so it would get through to me.

So if the servers that I'm using to forward my request to do not support dnssec... then unbound doesn't do any extra checks on the returned information if dnssec is checked? There is no possible benefit there?

And if the upstream dns server does do dnssec, then it has already performed the extra checks, so the unbound setting is redundant?

Am I understanding that correctly?
Josh

johnpoz

@stompro asking who your forwarding for dnssec info gets you nothing.. They could send you whatever they have cached, etc.

For dnssec to be valid you need to directly talk to the authoritative name servers and validate the info, etc.

Its just going to be extra queries and bandwidth for no actual real benefit.. And could cause problems..

There is zero reason to have your dns software ask for dnssec info if its not actually resolving..

stompro

@johnpoz said in Insanely weird issue with DNS resolution to www.cdc.gov:

For dnssec to be valid you need to directly talk to the authoritative name servers and validate the info, etc.
Its just going to be extra queries and bandwidth for no actual real benefit.. And could cause problems..
There is zero reason to have your dns software ask for dnssec info if its not actually resolving..

Thank you for the extra explanation. I'll fix all my installs to uncheck the "DNSSEC" unbound config option.

Gertjan

@stompro

Keep in mind that you are forwarding to ... a resolver.
That resolver probably does DNSSEC checks, and the cdc announced it supports DNSSEC.
If there was more then a warning, this an error, and the errors concerns a DNS record you were askinf for, protection kicks in : no answer or NXDOMAIN.
You think : my DNS is bad.
The reality is : the zone cdc is bad.
You have just one choice : use a resolver without DNSSEC. So now cdc records as any other DNS can be spoofed etc. I hope this "cdc" site isn't important for you.

can you imagine what happens when facebook start to implement DNSSEC, and they f*ck up on their side ?

johnpoz

@gertjan said in Insanely weird issue with DNS resolution to www.cdc.gov:

Keep in mind that you are forwarding to ... a resolver.

Might not actually be true - could be another forwarder ;) But yeah at some point in the chain there has to be a resolver... So your point is valid.

You know for sure its not actually say 8.8.8.8 doing the actual resolving.. This is why for example when you setup 8.8.8.8 as your dns, and you do one of those dns leak tests, it shows other IPs as your dns that are not 8.8.8.8, same when you point to 1.1.1.1

I would be pretty sure in saying that the IP you point to when using any of these services, isn't actually doing the "resolving" itself. But just forwarding to some other box in their network. DNS wouldn't work at all if at some point a resolver doesn't get asked.

stompro

@gertjan Thank you for the extra info.

I don't quite understand how the unbound DNSSEC option and the work around of setting 'server:domain-insecure: "cdc.gov"' relate to each other, if at all. But I haven't looked up the domain-insecure option yet to see what it actually does. You don't need to google it for me. :-)

I'll try and do more testing when I have a chance.

• Cisco Umbrella DNS Servers
  • With DNSSEC Enabled - cdc.gov doesn't work for clients.
  • With DNSSEC enabled in unbound and 'server:domain-insecure: "cdc.gov"' set, cdc.gov resolves fine for clients.

I can test with cloudflare and google dns, with dnssec on and off.

The pfsense dns lookup gui seems to always work... but I don't know if that is DNSSEC aware.

Maybe the end clients are doing some sort of dnssec validation... but I think @johnpoz explained that that isn't how it works. The resolvers do the validation.

I kind of hate not knowing why something isn't working... but who knows if this whole DNSSEC thing is really going to stick around,,, seems like a fad, like fidget spinners. :-)

johnpoz

@stompro said in Insanely weird issue with DNS resolution to www.cdc.gov:

seems like a fad, like fidget spinners

Not sure if I would say that - but the overall adoption is disappointing to be sure..

Here is the thing that site is all kinds of messed up when it comes to dnssec... I don't have any problem resolving it, using dnssec - but with some of the errors I see, it could for sure be hit or miss.

If your forwarding, and also have dnssec enabled that can cause issues. So are you saying when you uncheck dnssec in unbound, and forward to cisco it fails? Is that something you have to enable do disable in your subscription.. Cisco Umbrella is a subscription service is in not?

 $ dig @192.168.9.253 www.cdc.gov

; <<>> DiG 9.16.27 <<>> @192.168.9.253 www.cdc.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15485
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cdc.gov.                   IN      A

;; ANSWER SECTION:
www.cdc.gov.            3600    IN      CNAME   www.akam.cdc.gov.
www.akam.cdc.gov.       3600    IN      A       104.98.82.250

;; Query time: 185 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Fri Apr 22 09:45:15 Central Daylight Time 2022
;; MSG SIZE  rcvd: 79