Issue with dns resolution for www.ssa.gov

Bhangui, Sandeep - BLS CTR Bhangui.Sandeep at bls.gov
Thu Sep 1 21:56:54 UTC 2022 

John,

We have not moved to PDNS as yet.

I am not sure about DNSSEC for SSA will check on that.

Thanks
Sandeep

From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of John W. Blue via bind-users
Sent: Thursday, September 1, 2022 5:03 PM
To: bind-users at lists.isc.org
Subject: Re: Issue with dns resolution for www.ssa.gov

CAUTION: This email originated from outside of BLS. DO NOT click links or open attachments unless you recognize the sender and know the content is safe. Please send suspicious emails as an attachment to SECURE at BLS.GOV<mailto:SECURE at BLS.GOV>.

Sandeep,

Are you all using CISA's Protective DNS?  If so, there might be a ruleset that is causing problems.

If not, and I have not checked, but is DNSSEC for SSA working correctly?

John

Sent from Nine<http://www.9folders.com/>

________________________________
From: "Bhangui, Sandeep - BLS CTR via bind-users" <bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>>
Sent: Thursday, September 1, 2022 3:11 PM
To: bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
Subject: Issue with dns resolution for www.ssa.gov<http://www.ssa.gov>

Hi

We are running Bind Version 9.16.31 on RHEL 7.X Server and things are working fine in general.

Having issue with DNS resolution for www.ssa.gov<http://www.ssa.gov> no other DNS issues reported at this time.

Our DNS server cannot seem to resolve www.ssa.gov<http://www.ssa.gov> using nslookup ( know this is an old utility and cannot be used much for troubleshooting), dig seems to respond properly.

Just curious what could be the issue is this on our DNS server as nslookup seems to work fine for lot of other sites that I used just to check if it responds correctly.

The VZ public NS which is listed as one of the NS under /etc/resolv.conf seems to respond to nslookup just fine.

I am not sure what more information I could include which could be helpful if anything else is needed please let me know and I will post it.

Thanks in advance.

Sandeep


# nslookup www.ssa.gov<http://www.ssa.gov>

;; Got SERVFAIL reply from 127.0.0.1, trying next server

Server:         198.6.1.1
Address:        198.6.1.1#53

Non-authoritative answer:
www.ssa.gov<http://www.ssa.gov>     canonical name = www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net>.
www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net> canonical name = e82396.dsca.akamaiedge.net.
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.54
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.58
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:293
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:289


Dig output from the same DNS server seems to give a response.

# dig www.ssa.gov<http://www.ssa.gov>

; <<>> DiG 9.16.31 <<>> www.ssa.gov<http://www.ssa.gov>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24578
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.ssa.gov.                   IN      A

;; ANSWER SECTION:
www.ssa.gov<http://www.ssa.gov>.            300     IN      CNAME   www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net>.
www.ssa.gov.edgekey.net<http://www.ssa.gov.edgekey.net>. 9625   IN      CNAME   e82396.dsca.akamaiedge.net.
e82396.dsca.akamaiedge.net. 20  IN      A       23.222.241.58
e82396.dsca.akamaiedge.net. 20  IN      A       23.222.241.51

;; Query time: 171 msec
;; SERVER: 198.6.1.1#53(198.6.1.1)
;; WHEN: Thu Sep 01 16:03:21 EDT 2022
;; MSG SIZE  rcvd: 146


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220901/9ed58c68/attachment-0001.htm>

More information about the bind-users mailing list