Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

Mon, 10 Jan 2022 04:08:01 -0800 


> On 9 Jan 2022, at 13:11, Jason Vas Dias <jason.vas.d...@gmail.com> wrote:
> 
> Thanks to all who responded !
> Yes, removing my Forwarders list did the trick .
> Never trust an ISP's DNS servers!

I’m late to the party, but anyway several issues are worth pointing out.

- First, there is no Hidden Google Internet, but Google is lousier than others 
when resolving DNS names. 
Their public DNS service does tolerate some misconfigurations. So you can find 
that they resolve names
that fail on other servers. And it’s not necessarily that your ISP servers are 
broken. Maybe they are more strict.

Microsoft has played this game for years with disastrous security consequences, 
like ignoring MIME types and guessing
file types.

In my opinion Google is misbehaving. They are playing the “I am better than 
others” card in the same way as Microsoft did.



- Second: Bind is getting stricter, tolerating less DNS configuration flaws 
than before.

That can result in failed queries. An example: 

        $ dig aes.orange.es TYPE65 @your.bind.ip.address

        $ dig the same @8.8.8.8

It is a good idea to check your domains using the DNS Flag Day checkers. 

And a good reference to test for DNS misconfiguration is DNSVIZ, which is not 
only useful to check DNSSEC records. It
is extremely picky about DNS records consistency.

For example, if you check healthservice.ie on DNSVIZ you will see this result:

https://dnsviz.net/d/healthservice.ie/dnssec/

With two warnings:

        • ie to healthservice.ie: The following NS name(s) were found in the 
authoritative NS RRset, but not in the delegation NS RRset (i.e., in the ie 
zone): ns1.ie.topsec.com, ns2.ie.topsec.com, ns4.eu.topsec.com, 
ns3.ca.topsec.com
        • ie to healthservice.ie: The following NS name(s) were found in the 
delegation NS RRset (i.e., in the ie zone), but not in the authoritative NS 
RRset: ns3.ca.topsectechnology.net, ns4.eu.topsectechnology.net, 
ns1.ie.topsectechnology.net, 
ns2.ie.topsectechnology.net


I would say it is a lousy configuration.

Cheers,





Borja.



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to