LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-02-2017, 07:43 AM   #1
Latitude
Member
 
Registered: Mar 2009
Posts: 54

Rep: Reputation: 15
DNSSEC "passes" the test it should fail at dnssec-failed.org


I'm configuring a DNS Server on RHEL 6.8 with BIND 9.8.2rc1 and testing with DNSSEC with the server set up to intentionally fail DNSSEC (www.dnssec-failed.org) shows a successful test of DNS. Some help determining the cause would be great.

When running the command below it succeeds as it should:
Code:
dig @127.0.0.1 www.isc.org A +dnssec +multiline
However, when I run the command below to intentionally get a DNSSEC failure, it also passes (status: NOERROR) when it should actually fail:

Code:
 ~]# dig @127.0.0.1 www.dnssec-failed.org. A

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> @127.0.0.1 www.dnssec-failed.org. A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38725
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 10

;; QUESTION SECTION:
;www.dnssec-failed.org.         IN      A

;; ANSWER SECTION:
www.dnssec-failed.org.  3535    IN      A       69.252.193.191
www.dnssec-failed.org.  3535    IN      A       68.87.109.242

;; AUTHORITY SECTION:
dnssec-failed.org.      82735   IN      NS      dns102.comcast.net.
dnssec-failed.org.      82735   IN      NS      dns103.comcast.net.
dnssec-failed.org.      82735   IN      NS      dns101.comcast.net.
dnssec-failed.org.      82735   IN      NS      dns105.comcast.net.
dnssec-failed.org.      82735   IN      NS      dns104.comcast.net.

;; ADDITIONAL SECTION:
dns102.comcast.net.     82735   IN      A       68.87.85.132
dns102.comcast.net.     82735   IN      AAAA    2001:558:1004:7:68:87:85:132
dns103.comcast.net.     82735   IN      A       68.87.76.228
dns103.comcast.net.     82735   IN      AAAA    2001:558:1014:c:68:87:76:228
dns105.comcast.net.     82735   IN      A       68.87.72.244
dns105.comcast.net.     82735   IN      AAAA    2001:558:100e:5:68:87:72:244
dns101.comcast.net.     82735   IN      A       69.252.250.103
dns101.comcast.net.     82735   IN      AAAA    2001:558:fe23:8:69:252:250:103
dns104.comcast.net.     82735   IN      A       68.87.68.244
dns104.comcast.net.     82735   IN      AAAA    2001:558:100a:5:68:87:68:244

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb  1 19:48:25 2017
;; MSG SIZE  rcvd: 407
Any ideas as for what the cause could be for DNSSEC to pass when it should indeed fail? I'm thinking of reconfiguring DNSSEC altogether at this point. Turning it off, then adjusting one setting at a time to determine the root cause.
 
Old 02-02-2017, 09:21 AM   #2
Ellendhel
Member
 
Registered: Aug 2015
Location: Arlington, VA
Distribution: Slackware
Posts: 60

Rep: Reputation: 44
Did you set any forwarder in your BIND configuration? It seems that the answer that you get comes from Comcast.

I have never been using Comcast and I don't know if their DNS servers are reliable or not, but if your DNS server relies on the ones from Comcast and they are lying... I know that Verizon does this, they provide answers for non-existent domains and redirect people to a "friendly error page".

If you really want to have a DNS server with DNSSEC, your server should be doing all the work itself, not using forwarders if possible.

Last edited by Ellendhel; 02-02-2017 at 03:16 PM. Reason: (minor typos)
 
Old 02-02-2017, 02:35 PM   #3
Latitude
Member
 
Registered: Mar 2009
Posts: 54

Original Poster
Rep: Reputation: 15
After I read your post I looked again at my options section of named.conf and didn't see any forwarders, which I also originally searched for. I've included the options section of named.conf below.

Code:
options {
        // Server options
        directory "/var/named";
        auth-nxdomain yes;
        interface-interval 0;
        lame-ttl 900;
        listen-on-v6 { none; };
        version " ";
        zone-statistics yes;
        dump-file "data/named_dump.db";
        statistics-file "data/named.stats";
//      pid-file none;
        pid-file "/var/run/named/named.pid";
I'm still searching for other causes. The latest thing I tried was changing dnssec-validation from yes to auto but I saw no change in the failures. The //DNS Security section of the named.conf file is below:

Code:
 // DNS Security
        dnssec-enable yes;
        dnssec-validation auto;
        dnssec-lookaside auto;
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
"Failed to claim resource" and "platform device creation failed" when trying to boot Linux from USB on HP laptop Desertman194 Linux - Laptop and Netbook 5 11-10-2016 05:48 PM
[SOLVED] LFS install Linux "From Scratch - Version 7.9" failed test at 5.7. Glibc-2.23 zenopath Linux From Scratch 9 07-11-2016 11:18 AM
rsync: opendir "/db/pluto/test" failed: Permission denied (13) prathamesh7478 Linux - Newbie 4 03-23-2015 02:41 PM
[SOLVED] "net rpc" "failed to connect to ipc$ share on" or "unable to find a suitable server" larieu Linux - General 0 11-09-2014 01:45 AM
Is it possible to "stress test" hard drive to fail kevinbenko Linux - Hardware 13 11-15-2010 08:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration