Support Hosed?

Someone nudged me a little while ago and asked if I was aware of any issues with I plugged into my browser to no avail. I then tried to resolve’s DNS name to an IP address, to no avail. So, I had a bit of a deeper look..

danny@pork% host <- seeing if name will resolve
;; connection timed out; no servers could be reached
danny@pork% host -Cv
<- checking for SOAs on authoritative servers
Trying “”
;; connection timed out; no servers could be reached

Hrmm… So, what are those authoritative servers? I ask and get pointed to [a-m], which makes sense because they serve the .gov domain. I ask, and get pointed to [a-g].GOV.ZONEEDIT.COM, which makes sense. So, I ask, and it returns:

danny@pork% dig ns

; <<>> DiG 9.4.1-P1 <<>> ns
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30111
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available




;; Query time: 161 msec
;; WHEN: Thu May 15 09:54:25 2008
;; MSG SIZE rcvd: 9

So, I get two name servers as authoritative for,, and A an record ( was included for in the NS query response, so I query for the A record of

danny@pork% host has address

And now know that the two authoritative servers and their corresponding IP addresses for are: ( (

You might notice something peculiar with the above two IP addresses. They both reside within the same /16 prefix (, registered to the National Computer Security Center (NCSC):

danny@pork% whois -h

OrgName: National Computer Security Center
Address: 9800 Savage Road
City: Fort George G. Meade
StateProv: MD
Country: US

NetRange: –
NetName: NCSC
NetHandle: NET-144-51-0-0-1
Parent: NET-144-0-0-0-0
NetType: Direct Assignment
Updated: 1997-11-17

RTechHandle: AMM32-ARIN
RTechName: McCool, Anna M.
RTechPhone: +1-301-688-5267

# ARIN WHOIS database, last updated 2008-05-14 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.

Internet routing reachability for that /16 is announced by Qwest (AS 209):>sh ip bgp
BGP routing table entry for, version 109664
Paths: (37 available, best #30, table Default-IP-Routing-Table)
3356 209 from (
Origin IGP, metric 0, localpref 100, valid, external, best
Community: 3356:3 3356:22 3356:86 3356:575 3356:666 3356:2008

And both these IPs (intuitively) are downstream from the same Qwest edge access router in DC. When trying to query these servers directly, as with the host -C (-C == compare SOAs) method used above, both timed out. Just to be sure, let’s try dig and see if there are still problems:

danny@pork% dig @ ns

; <<>> DiG 9.4.1-P1 <<>> @ ns
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached

danny@pork% dig @ ns

; <<>> DiG 9.4.1-P1 <<>> @ ns
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached

And this means mail servers that don’t have a locally cached copy of the record (that’s working towards expiry) won’t be able to resolve the IP address or identify the MX record for the domain, so no email either, even if the mail server is reachable and hosted elsewhere.

danny@pork% dig mx

; <<>> DiG 9.4.1-P1 <<>> mx
;; global options: printcmd
;; connection timed out; no servers could be reached

Also interesting is that is actually an alias for, so they’re presumably the same machine. This would mean that presumably, an authoritative name server for, is also running a web server process, one that’s also not reachable at the moment:

danny@pork% host is an alias for has address

danny@pork% telnet !$ 80
telnet 80
telnet: connect to address Operation timed out
telnet: Unable to connect to remote host

Ahh, but alas, if you really need to reach you could try to google for the A record associated with (AND cross your fingers you get a legit one), see if an IP (e.g., is in the same address block as the servers above, which it’s not, and try to connect, which indeed you can, and it appears to be serving an page (though I’m not sure it’s a current or legit one):

danny@pork% telnet 80
Connected to
Escape character is ‘^]’.
telnet> q
Connection closed.

It’s interesting that both the authoritative servers are off a Qwest DC router, yet the web server itself is connected to AT&T and addressed our of space. With this, one of a few things have occurred:

  • NCSC has a security policy or router/network misconfiguration or network outage that’s causing this problem
  • They’ve got problems on the servers that result in neither authoritative server responding to DNS queries
  • They’ve got much bigger problems and raised the drawbridge (we’ve seen nothing in our attack databases targeting NSA or NCSC names or IP addresses)

So, what are the take aways from this?

  • Running a web server on the same machine (or at least same IP address) as an authoritative name server for isn’t necessarily an ideal separation of tasks. If one is owned or broken, the other is.
  • Just as with YouTube a week or so ago, no apparent separation of primary and secondary authoritative name servers for a DNS zone is a BAD thing (note: one might argue it’s setup this way for centralized control; duly noted, but I’m not buying it).
  • A DNS outage has the same effect as a completely effective DoS attack – from an end-user experience perspective. This just further highlights how fragile the Internet’s control plane (e.g., DNS & routing infrastructure) is
  • READ RFC 2182

I am told that NSA is aware of and working to resolve the problem, let’s hope it’s simply a misconfiguration of some sort.