is there a global DNS issue happening?

[+] ttymck|3 years ago|reply

It looks like their DNS is not resolving. How do we know they are under attack?

[+] ej12n|3 years ago|reply

https://www.faa.gov/ Works fine, most likely someone forgot to redirect the root to www

[+] mariojv|3 years ago|reply

Whatever is going on seems to be intermittent from querying my ISP's DNS.

Successive queries using dig have given me:

- No answer but no error for initial A record query

- SERVFAIL for ANY record query

- Valid A record response for A record query, then no answer, then a response

- Query for ANY shows some DNSSEC related records, TXT, NS, but no A record

It's weird because I wouldn't think whatever caching my ISP is doing would refresh that fast. What is the evidence this is an attack vs. a misconfiguration?

Also, would an outage like this have any impact on US flights or flights in US airspace?

[+] AdamJacobMuller|3 years ago|reply

Keep in mind when you query your ISPs DNS server you're probably hitting one of dozens (or more) actual servers semi-randomly. Some of them have the record cached, some don't.

[+] JdeBP|3 years ago|reply

There is some major outage going on, but it isn't the FAA. 1.1.1.1, 1.0.0.1, and 9.9.9.9 are suddenly unreachable from my part of the planet. 8.8.8.8 is, otherwise I wouldn't be able to post this. Many WWW sites that I know are behind CloudFlare are timing out. These aren't DNS issues. These are connectivity issues. The actual DNS servers themselves aren't reachable.

[+] JdeBP|3 years ago|reply

Of course, when it looks like most of the planet has disappeared, always suspect your ISP first. But strangely, there is intermittent connectivity to Bing, BBC News, and here.

[+] AdamJacobMuller|3 years ago|reply

I see 155.178.199.16 now intermittently responding.

All of the other NSes have been hard down, and 155.178.199.16 only seems to respond from some locations (broadly US works, International does not)

[+] AdamJacobMuller|3 years ago|reply

Inspecting the result for `faa.gov` from 155.178.199.16 is interesting:

    ; <<>> DiG 9.11.5-P4-5.1+deb10u8-Debian <<>> +noedns faa.gov @155.178.199.16
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28118
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available
    
    ;; QUESTION SECTION:
    ;faa.gov.   IN A
    
    ;; AUTHORITY SECTION:
    faa.gov.  300 IN SOA faa-mc-igms.faa.gov. helpdesk.faa.gov. 172720 10800 1080 2419200 300
    
    ;; Query time: 558 msec
    ;; SERVER: 155.178.199.16#53(155.178.199.16)
    ;; WHEN: Tue Apr 04 02:47:54 UTC 2023
    ;; MSG SIZE  rcvd: 82

but 155.178.199.16 seems to respond to www.faa.gov correctly:

    ;; QUESTION SECTION:
    ;www.faa.gov.   IN A
    
    ;; ANSWER SECTION:
    www.faa.gov.  600 IN CNAME www.faa.gov.edgekey.net.

[+] drillscience|3 years ago|reply

It's always DNS

[+] avdata99|3 years ago|reply

I add some NS records for different s domains at GoDaddy and Gandi an they are not being propagated. This is happening from las Friday

[+] calvertdw|3 years ago|reply

It works with www. at the beginning. https://www.faa.gov/

[+] unknown|3 years ago|reply

[deleted]

[+] unknown|3 years ago|reply

[deleted]

[+] 3np|3 years ago|reply

Do we have any source for the current title claim ("FAA DNS is under attack")?

What we have observed so far is intermittent issues but no root cause or intent. Operator error / system failure look more likely.

[+] AdamJacobMuller|3 years ago|reply

I agree considering the responses I'm seeing from the one working server.

If I had to guess randomly at a cause, I would speculate that all their nameservers besides 155.178.199.16 are behind a load balancer that uses checking for IN A faa.gov as a health check and someone deleted that record, so, all servers fell out of the load balancer.

50c says that their method of propagating new records relies on their DNS working so someone is having a fun night fixing that.

[+] gnarbarian|3 years ago|reply

hear me now and believe me later.

[+] AdamJacobMuller|3 years ago|reply

Could be a lot of things besides an attack, but, does appear to be a global outage of both of the authoritative servers for faa.gov for all of their various A/AAAA addresses which gov-servers lists.

[+] examplary_cable|3 years ago|reply

Can't resolve? Anyone know the IP so we can try it directly?

[+] unknown|3 years ago|reply

[deleted]

[+] unknown|3 years ago|reply

[deleted]

[+] x3n0ph3n3|3 years ago|reply

Under attack or someone screwed up and deleted an A record?

[+] AustinDev|3 years ago|reply

I'm seeing no A or CNAME records on my end. Just SPF, NS, MX, TXT, etc

[+] dblitt|3 years ago|reply

Seems to be unresolvable globally: https://www.whatsmydns.net/#A/faa.gov

[+] mlrubenews|3 years ago|reply

what is this site called again? some folks would do good to google "jvns.ca dns"

```

> dog -n 1.1.1.1 -t A faa.gov

[prints the A record]

> dog -n 8.8.8.8 -t A faa.gov

Server failure.

```

[+] codevark|3 years ago|reply

[deleted]

[+] moose_man|3 years ago|reply

It is fixed now

[+] jakzurr|3 years ago|reply

I get "site can't be reached".

[+] AdamJacobMuller|3 years ago|reply

Doesn't load for me.

32 comments