Issue with dns resolution for www.ssa.gov

Thu Sep 1 22:16:03 UTC 2022

If I go to my personal computer or my personal phone ( not on VPN connected to BLS network or using BLS resources) I can get to the site www.ssa.gov which I would mean to believe that it is able to resolve www.ssa.gov.

Does that mean the dns resolution for www.ssa.gov is not broken globally as explained below?

 Or maybe personal computer & my personal phone are querying different DNS servers over the internet which are able to resolve www.ssa.gov correctly and get to the website?

Thanks
Sandeep

-----Original Message-----
From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Bjørn Mork
Sent: Thursday, September 1, 2022 5:26 PM
To: BIND users <bind-users at lists.isc.org>
Subject: Re: Issue with dns resolution for www.ssa.gov

CAUTION: This email originated from outside of BLS. DO NOT click links or open attachments unless you recognize the sender and know the content is safe. Please send suspicious emails as an attachment to SECURE at BLS.GOV.

www.ssa.gov is a separate zone according to the ssa.gov NS:

bjorn at idefix:~$ dig ns www.ssa.gov @dns1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> ns www.ssa.gov @dns1.ssa.gov ;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9 ;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3419fe2b41b19e86fd0d2330631122fd3a26a591e846d4b1 (good) ;; QUESTION SECTION:
;www.ssa.gov.                   IN      NS

;; AUTHORITY SECTION:
www.ssa.gov.            60      IN      NS      gtms2.ssa.gov.
www.ssa.gov.            60      IN      NS      gtms1.ssa.gov.
www.ssa.gov.            60      IN      NS      gtmu1.ssa.gov.
www.ssa.gov.            60      IN      NS      gtmu2.ssa.gov.

;; ADDITIONAL SECTION:
GTMS1.ssa.gov.          36000   IN      AAAA    2001:1930:e03::13
GTMS2.ssa.gov.          36000   IN      AAAA    2001:1930:e03::14
GTMU1.ssa.gov.          36000   IN      AAAA    2001:1930:d07:1::10
GTMU2.ssa.gov.          36000   IN      AAAA    2001:1930:d07:1::11
GTMS1.ssa.gov.          36000   IN      A       137.200.4.203
GTMS2.ssa.gov.          36000   IN      A       137.200.4.204
GTMU1.ssa.gov.          36000   IN      A       137.200.43.16
GTMU2.ssa.gov.          36000   IN      A       137.200.43.17

;; Query time: 107 msec
;; SERVER: 2001:1930:d07:1::8#53(2001:1930:d07:1::8)
;; WHEN: Thu Sep 01 23:24:13 CEST 2022
;; MSG SIZE  rcvd: 348

But it's a CNAME according to the www.ssa.gov NS:

bjorn at idefix:~$ dig a www.ssa.gov @gtms1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> a www.ssa.gov @gtms1.ssa.gov ;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43620 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ssa.gov.                   IN      A

;; ANSWER SECTION:
www.ssa.gov.            300     IN      CNAME   www.ssa.gov.edgekey.net.

;; Query time: 127 msec
;; SERVER: 2001:1930:e03::13#53(2001:1930:e03::13)
;; WHEN: Thu Sep 01 23:25:01 CEST 2022
;; MSG SIZE  rcvd: 77

CDNs playing tricks. This won't fly.

Bjørn
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users