I hacked nsa.gov website? Bind question

canihazsekooriti · Apr 21, 2024

I ran BIND on my freebsd installation. Resolving websites seemed ok until I tried to open 'nsa.gov' in my browser. bind does not resolve that domain name for some reason. Is there something wrong with my bind settings? (nsa.gov resolves fine through the 1.1.1.1 public DNS server)

Code:

# dig whitehouse.gov 

; <<>> DiG 9.18.24 <<>> whitehouse.gov 
;; global options: +cmd 
;; Got answer: 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42815 
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 

;; OPT PSEUDOSECTION: 
; EDNS: version: 0, flags:; udp: 1232 
; COOKIE: 0d04ee740aa333be010000006624c6e7998274208052ad85 (good) 
;; QUESTION SECTION: 
;whitehouse.gov.            IN    A 

;; ANSWER SECTION: 
whitehouse.gov.        300    IN    A    192.0.66.168 

;; Query time: 1332 msec 
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) 
;; WHEN: Sun Apr 21 12:57:27 +05 2024 
;; MSG SIZE  rcvd: 87 

# dig nsa.gov 

; <<>> DiG 9.18.24 <<>> nsa.gov 
;; global options: +cmd 
;; Got answer: 
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 957 
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 

;; OPT PSEUDOSECTION: 
; EDNS: version: 0, flags:; udp: 1232 
; COOKIE: d5a54bd701ce4b0d010000006624c6f07806081cf0ad5684 (good) 
;; QUESTION SECTION: 
;nsa.gov.            IN    A 

;; Query time: 1370 msec 
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) 
;; WHEN: Sun Apr 21 12:57:36 +05 2024 
;; MSG SIZE  rcvd: 64

Alain De Vos · Apr 21, 2024

How can someone give a reasonable answer without your bind configuration ?

canihazsekooriti · Apr 21, 2024

Alain De Vos said:
How can someone give a reasonable answer without your bind configuration ?

I used the default named.conf with a couple of lines to get it going. I also noticed now another site doesn't get DNS resolved, so really curious what the culprit is.

Here's the named.conf: https://pastebin.com/cCFCk0it

Alain De Vos · Apr 21, 2024

Try once with just one forwarder : "8.8.8.8" i.e. google.

canihazsekooriti · Apr 21, 2024

Alain De Vos said:
Try once with just one forwarder : "8.8.8.8" i.e. google.

You mean uncommenting and changing forwarders { 127.0.0.1; }; to { 8.8.8.8; }; in named.conf? That still doesn't resolve nsa.gov

Alain De Vos · Apr 21, 2024

I use local_unbound for dns. I have forwarder 8.8.8.8.
The following site is visible,

National Security Agency | Central Security Service

Code:

dig 8.8.8.8 www.nsa.gov
dig 127.0.0.1 www.nsa.gov

canihazsekooriti · Apr 21, 2024

Alain De Vos said:
I use local_unbound for dns. I have forwarder 8.8.8.8.
The following site is visible,

National Security Agency | Central Security Service

Code:

dig 8.8.8.8 www.nsa.gov dig 127.0.0.1 www.nsa.gov

I mean I also get this nsa.gov site resolved if I use a fallback second public dns nameserver in /etc/resolv.conf. Which is the same functionality as setting a forwarder in named.conf, I think. The question remains. Why is nsa.gov not DNS resolved by a recursive bind from my location? Is the US government down?? *panicky face*

eternal_noob · Apr 21, 2024

Attention whore.

Alain De Vos · Apr 21, 2024

My /etc/resolv.conf :
nameserver 127.0.0.1

I think you are doing something wrong in your bind configuration. Not the U.S. government...

pming · Apr 22, 2024

canihazsekooriti said:
You mean uncommenting and changing forwarders { 127.0.0.1; }; to { 8.8.8.8; }; in named.conf? That still doesn't resolve nsa.gov

In either case this shouldn't change anything since this part of your config is inside a multiline comment. I don't think it's a good idea to set localhost as forwarder because a forwarder is a server your server will send its queries to so it shouldn't "forward" queries to itself.

I suggest you start fresh with a copy of the default config and note down the lines you changed.

canihazsekooriti said:
I mean I also get this nsa.gov site resolved if I use a fallback second public dns nameserver in /etc/resolv.conf. Which is the same functionality as setting a forwarder in named.conf, I think. The question remains. Why is nsa.gov not DNS resolved by a recursive bind from my location? Is the US government down?? *panicky face*

If your server doesn't have a name in its cache it will need to look it up, which it can do recursively (start at the root servers and work its way down the DNS hierarchy) or it can do it by forwarding the query to a public DNS server (these are resolvers usually). So in this way, setting a server in your client's resolv.conf is similar to setting a forwarder in your server's config. You could also do a "DNS trace" using the dig query option "+trace" maybe this will give you more info. Here I am using drill since I don't have dig installed.

Code:

➜  ~ drill -T nsa.gov
.    518400    IN    NS    h.root-servers.net.
.    518400    IN    NS    c.root-servers.net.
.    518400    IN    NS    g.root-servers.net.
.    518400    IN    NS    k.root-servers.net.
.    518400    IN    NS    i.root-servers.net.
.    518400    IN    NS    d.root-servers.net.
.    518400    IN    NS    m.root-servers.net.
.    518400    IN    NS    e.root-servers.net.
.    518400    IN    NS    f.root-servers.net.
.    518400    IN    NS    a.root-servers.net.
.    518400    IN    NS    l.root-servers.net.
.    518400    IN    NS    b.root-servers.net.
.    518400    IN    NS    j.root-servers.net.
gov.    172800    IN    NS    a.ns.gov.
gov.    172800    IN    NS    b.ns.gov.
gov.    172800    IN    NS    c.ns.gov.
gov.    172800    IN    NS    d.ns.gov.
nsa.gov.    10800    IN    NS    a1-107.akam.net.
nsa.gov.    10800    IN    NS    a11-66.akam.net.
nsa.gov.    10800    IN    NS    a12-67.akam.net.
nsa.gov.    10800    IN    NS    a2-64.akam.net.
nsa.gov.    10800    IN    NS    a24-65.akam.net.
nsa.gov.    10800    IN    NS    a5-66.akam.net.
nsa.gov.    20    IN    A    23.212.221.216

canihazsekooriti · Apr 22, 2024

pming said:
In either case this shouldn't change anything since this part of your config is inside a multiline comment.

I actually uncommented the multiline comment when I tried that.

I'm going to do a drill later and post the output.

SirDice · Apr 22, 2024

For what it's worth, I have bind918 running here and I can resolve nsa.gov just fine.

msplsh · Apr 22, 2024

It would be pretty funny if the NSA DNS cache poisoned you.

Don't uncomment the 127.0.0.1 forwarder because that will just loop.

canihazsekooriti · Apr 27, 2024

pming said:
In either case this shouldn't change anything since this part of your config is inside a multiline comment. I don't think it's a good idea to set localhost as forwarder because a forwarder is a server your server will send its queries to so it shouldn't "forward" queries to itself.

I suggest you start fresh with a copy of the default config and note down the lines you changed.

If your server doesn't have a name in its cache it will need to look it up, which it can do recursively (start at the root servers and work its way down the DNS hierarchy) or it can do it by forwarding the query to a public DNS server (these are resolvers usually). So in this way, setting a server in your client's resolv.conf is similar to setting a forwarder in your server's config. You could also do a "DNS trace" using the dig query option "+trace" maybe this will give you more info. Here I am using drill since I don't have dig installed.

Code:

➜ ~ drill -T nsa.gov . 518400 IN NS h.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS a.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS j.root-servers.net. gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS d.ns.gov. nsa.gov. 10800 IN NS a1-107.akam.net. nsa.gov. 10800 IN NS a11-66.akam.net. nsa.gov. 10800 IN NS a12-67.akam.net. nsa.gov. 10800 IN NS a2-64.akam.net. nsa.gov. 10800 IN NS a24-65.akam.net. nsa.gov. 10800 IN NS a5-66.akam.net. nsa.gov. 20 IN A 23.212.221.216

drill actually worked (note different IP by the way):

Code:

# drill -T nsa.gov
.    518400    IN    NS    m.root-servers.net.
.    518400    IN    NS    l.root-servers.net.
.    518400    IN    NS    h.root-servers.net.
.    518400    IN    NS    d.root-servers.net.
.    518400    IN    NS    b.root-servers.net.
.    518400    IN    NS    e.root-servers.net.
.    518400    IN    NS    i.root-servers.net.
.    518400    IN    NS    f.root-servers.net.
.    518400    IN    NS    g.root-servers.net.
.    518400    IN    NS    c.root-servers.net.
.    518400    IN    NS    j.root-servers.net.
.    518400    IN    NS    k.root-servers.net.
.    518400    IN    NS    a.root-servers.net.
gov.    172800    IN    NS    a.ns.gov.
gov.    172800    IN    NS    b.ns.gov.
gov.    172800    IN    NS    c.ns.gov.
gov.    172800    IN    NS    d.ns.gov.
nsa.gov.    10800    IN    NS    a1-107.akam.net.
nsa.gov.    10800    IN    NS    a11-66.akam.net.
nsa.gov.    10800    IN    NS    a12-67.akam.net.
nsa.gov.    10800    IN    NS    a2-64.akam.net.
nsa.gov.    10800    IN    NS    a24-65.akam.net.
nsa.gov.    10800    IN    NS    a5-66.akam.net.
nsa.gov.    20    IN    A    104.76.137.30

But dig still produces SERVFAIL status and doesn't resolve. Drill took a while, so maybe there's some timeout issue somewhere?

canihazsekooriti · Apr 27, 2024

Ok, drill +trace shows some sort of a timeout in between, but then does acquire the target.

Code:

# dig +trace nsa.gov

; <<>> DiG 9.18.24 <<>> +trace nsa.gov
;; global options: +cmd
.            517439    IN    NS    c.root-servers.net.
.            517439    IN    NS    m.root-servers.net.
.            517439    IN    NS    i.root-servers.net.
.            517439    IN    NS    b.root-servers.net.
.            517439    IN    NS    j.root-servers.net.
.            517439    IN    NS    d.root-servers.net.
.            517439    IN    NS    e.root-servers.net.
.            517439    IN    NS    f.root-servers.net.
.            517439    IN    NS    h.root-servers.net.
.            517439    IN    NS    a.root-servers.net.
.            517439    IN    NS    g.root-servers.net.
.            517439    IN    NS    k.root-servers.net.
.            517439    IN    NS    l.root-servers.net.
.            517440    IN    RRSIG    NS 8 0 518400 20240510050000 20240427040000 5613 . YWi6TH/IMGys165mY/Pcb5c2uSKmfmhS2jwg5vVKR6+4SoV5gAInXnye z9sR1a3UL3jACIZDrWJ22HG1rK61io7fHLYbZ+QFNf2vICqqumLC/tLA hLqI8kYtXTnXG8YCjxWE2f+klYDFmtCYGePbjMJD4kQAs9rg0ssvVTJT OS+AcAVb6rXE1qxJ189tKzH3Ys1HZABE+aruXt02TqB7etM8xC3QcbYm TB0iib32ezDnz6cZt4VWxj4BH3jtguAk9M2/l150lLS9v+fWYmKkgGbb pmXA/32b0dEApYG6WJy+2RmuEw0r6CpOziE/6U8i8WJtTkRna2NZgBYC QfS/aA==
;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

;; communications error to 199.7.91.13#53: timed out
;; communications error to 199.7.91.13#53: timed out
;; communications error to 199.7.91.13#53: timed out
gov.            172800    IN    NS    a.ns.gov.
gov.            172800    IN    NS    b.ns.gov.
gov.            172800    IN    NS    c.ns.gov.
gov.            172800    IN    NS    d.ns.gov.
gov.            86400    IN    DS    64280 8 2 D66CDDA12234C22C5E6FD1C894DBD682FE7967E111793485A281972B FB164377
gov.            86400    IN    RRSIG    DS 8 1 86400 20240510050000 20240427040000 5613 . Blze1+o0KjU0sicU6azPIaOEbTImFzSHZ9ieB/zigKlFhd3ZkwqF9Fc/ pMKOl2VZhSezqlZC9usSqYthUW4S+tL1L6Xq67SOIWvPTXaimn92uDbV qrtNmdEjhDCoNW/NtstHzI7wx+8gPTgdlAkRaLY825ZrHsrIA3DR+LJ4 y9NJvzPBf+A2FyDMSRqERw3kmFidpCd92GQckoZrs3vi0EGbyBVdMvJo 44KBfpfiTTyWGvxhfkjcyOEkd8izTdsCq0H8bI7Zcjuo+4Dj9Uv862yG nCzQfghIRSQrEeesqU9TepKEuPVodpb/kvx9AHf+9A7ylQ3eNMoXFs7f 9rBkPg==
;; Received 614 bytes from 193.0.14.129#53(k.root-servers.net) in 26 ms

nsa.gov.        10800    IN    NS    a1-107.akam.net.
nsa.gov.        10800    IN    NS    a11-66.akam.net.
nsa.gov.        10800    IN    NS    a12-67.akam.net.
nsa.gov.        10800    IN    NS    a2-64.akam.net.
nsa.gov.        10800    IN    NS    a24-65.akam.net.
nsa.gov.        10800    IN    NS    a5-66.akam.net.
nsa.gov.        3600    IN    DS    29356 7 2 17C346B94BE3BDA883BC22D195B3A8AA4CCDADFC43B26B5C659D70AF 58E8FD5C
nsa.gov.        3600    IN    RRSIG    DS 8 2 3600 20240428114504 20240426094504 10104 gov. R/eW3StY+Uf754/VEerq5LJALZwz8dj01fSI++RulSBtPNqQptUq7tBz ktqFBOcCQYmpoORAiInRwXzX5Ic4cNYDTm0mGdQEf5szaVuLUgEf0HPM Kv4B8l0BTa4GaN3uWRTa9oFjag+DVEB6zznJKyuTl8unSMrV5cbR+w4X a+bVgoIAXAcvljIWFiB8DxK154JiT2vpjYab84grnRnrlQ==
;; Received 411 bytes from 199.33.230.1#53(a.ns.gov) in 46 ms

nsa.gov.        20    IN    A    104.80.250.190
nsa.gov.        20    IN    RRSIG    A 7 2 20 20240430074254 20240427064254 55988 nsa.gov. rJzVUeslZ92Q9OIodAkRjWLOvXAmHqAnkQyI3xzB9jTpPMaiomn/jddN lyH9nqBx6HtbhEwxkkved2VWffqmbhitp5f786FYzti3IfbUyh0l5mi1 c6dZS/LBnfSOJSNBmTix5ueyNy0i3x45rWa1MbZa9s7MJBo1XKMvwsfZ Y/k=
;; Received 219 bytes from 84.53.139.66#53(a11-66.akam.net) in 89 ms

canihazsekooriti · Apr 27, 2024

So, what do I do to get my BIND servah to resolve nsa.gov?

pming · Apr 27, 2024

canihazsekooriti said:
Drill took a while

For me it took like a minute to complete so I think it's normal.

Personally I'd create a plain new fresh install in a VM and install only bind with as direct as possible of a internet connection (no firewall or anything) to rule out any potential causes. Maybe it isn't even a bind issue. If you can, also try with a different ISP.

unitrunker · Apr 27, 2024

... and now the NSA wants to know "why all the sudden interest?"

I hacked nsa.gov website? Bind question

Administrator