I work for a DNS vendor and saw reports about DNS resolution errors when looking up names under dhhs.gov. It looks like your servers are not returning non-existence answers over UDP which breaks servers that are trying to do DNS QNAME minimisation (See RFC 7816).
Below are three queries that the servers should be capable of answering if they are following the DNS protocol correctly. dhhs.gov is answered but foobar.dhhs.gov doesn’t return anything and I would expect a NXDOMAIN (Name Error) response. Additionally 355.dhhs.gov should be returning a NODATA/NOERROR response at a minimum as it part of your DNS servers names. If I ask the same questions over TCP instead of UDP I get answers. This really smells like a misconfigured firewall. Mark % dig dhhs.gov @158.74.30.99 ; <<>> DiG 9.19.11-dev <<>> dhhs.gov @158.74.30.99 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59012 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 7b8cd5530b5fa45190ac7ac264364fe858d1f83093c6da62 (good) ;; QUESTION SECTION: ;dhhs.gov. IN A ;; ANSWER SECTION: dhhs.gov. 9000 IN A 52.7.111.176 ;; Query time: 243 msec ;; SERVER: 158.74.30.99#53(158.74.30.99) (UDP) ;; WHEN: Wed Apr 12 16:30:00 AEST 2023 ;; MSG SIZE rcvd: 81 % dig foobar.dhhs.gov @158.74.30.99 ;; communications error to 158.74.30.99#53: timed out ;; communications error to 158.74.30.99#53: timed out ;; communications error to 158.74.30.99#53: timed out ; <<>> DiG 9.19.11-dev <<>> foobar.dhhs.gov @158.74.30.99 ;; global options: +cmd ;; no servers could be reached [ant-7641:~/git/bind9] marka% dig 355.dhhs.gov @158.74.30.99 ;; communications error to 158.74.30.99#53: timed out ;; communications error to 158.74.30.99#53: timed out ;; communications error to 158.74.30.99#53: timed out ; <<>> DiG 9.19.11-dev <<>> 355.dhhs.gov @158.74.30.99 ;; global options: +cmd ;; no servers could be reached % % dig dhhs.gov @158.74.30.99 +tcp ; <<>> DiG 9.19.11-dev <<>> dhhs.gov @158.74.30.99 +tcp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18254 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 710a14c38e16a91fd4060d86643652ecca2dce18d21e3144 (good) ;; QUESTION SECTION: ;dhhs.gov. IN A ;; ANSWER SECTION: dhhs.gov. 9000 IN A 52.7.111.176 ;; Query time: 246 msec ;; SERVER: 158.74.30.99#53(158.74.30.99) (TCP) ;; WHEN: Wed Apr 12 16:42:52 AEST 2023 ;; MSG SIZE rcvd: 81 % dig 355.dhhs.gov @158.74.30.99 +tcp ; <<>> DiG 9.19.11-dev <<>> 355.dhhs.gov @158.74.30.99 +tcp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56223 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: e10fe6bd8dccc0ed038bbff1643652fb582c8d51b5d3a25c (good) ;; QUESTION SECTION: ;355.dhhs.gov. IN A ;; AUTHORITY SECTION: dhhs.gov. 3600 IN SOA rh120ns1.368.dhhs.gov. hostmaster.psc.hhs.gov. 2023021759 1200 300 2419200 3600 ;; Query time: 246 msec ;; SERVER: 158.74.30.99#53(158.74.30.99) (TCP) ;; WHEN: Wed Apr 12 16:43:07 AEST 2023 ;; MSG SIZE rcvd: 137 % -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
