what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

Borja Marcos borjam at sarenet.es
Mon Jan 10 12:07:13 UTC 2022 


> On 9 Jan 2022, at 13:11, Jason Vas Dias <jason.vas.dias at gmail.com> wrote:
> 
> Thanks to all who responded !
> Yes, removing my Forwarders list did the trick .
> Never trust an ISP's DNS servers!

I’m late to the party, but anyway several issues are worth pointing out.

- First, there is no Hidden Google Internet, but Google is lousier than others when resolving DNS names. 
Their public DNS service does tolerate some misconfigurations. So you can find that they resolve names
that fail on other servers. And it’s not necessarily that your ISP servers are broken. Maybe they are more strict.

Microsoft has played this game for years with disastrous security consequences, like ignoring MIME types and guessing
file types.

In my opinion Google is misbehaving. They are playing the “I am better than others” card in the same way as Microsoft did.



- Second: Bind is getting stricter, tolerating less DNS configuration flaws than before.

That can result in failed queries. An example: 

	$ dig aes.orange.es TYPE65 @your.bind.ip.address

	$ dig the same @8.8.8.8

It is a good idea to check your domains using the DNS Flag Day checkers. 

And a good reference to test for DNS misconfiguration is DNSVIZ, which is not only useful to check DNSSEC records. It
is extremely picky about DNS records consistency.

For example, if you check healthservice.ie on DNSVIZ you will see this result:

https://dnsviz.net/d/healthservice.ie/dnssec/

With two warnings:

	• ie to healthservice.ie: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the ie zone): ns1.ie.topsec.com, ns2.ie.topsec.com, ns4.eu.topsec.com, ns3.ca.topsec.com
	• ie to healthservice.ie: The following NS name(s) were found in the delegation NS RRset (i.e., in the ie zone), but not in the authoritative NS RRset: ns3.ca.topsectechnology.net, ns4.eu.topsectechnology.net, ns1.ie.topsectechnology.net, 
ns2.ie.topsectechnology.net


I would say it is a lousy configuration.

Cheers,





Borja.

More information about the bind-users mailing list