[dns-operations] ag.gov not providing NXDOMAIN responses

David Zych dmrz at illinois.edu
Tue Apr 9 18:09:20 UTC 2024

Does anyone happen to know the folks responsible for ns1.usda.gov. and ns2.usda.gov.?

I sent the following to the WHOIS "Security Email" for ag.gov (only non-redacted email I could find) on Mar 15, and haven't heard anything back.

I'm also curious if this is a scenario that we've seen much of in the wild?  I note that BIND `qname-minimization relaxed` seems to effectively work around many other kinds of authoritative server misbehavior, but not this one, and it doesn't look like I can turn off qname-minimization for just one domain.


-------- Forwarded Message --------
Subject: ag.gov DNS issue
Date: Fri, 15 Mar 2024 22:44:52 -0500

Hi, I'm the DNS service manager for the University of Illinois.

I'm reaching out to you about a technical problem I have noticed with the authoritative DNS nameservers for ag.gov. (which are ns1.usda.gov. and ns2.usda.gov.)

Please help make sure this email reaches the technical team responsible for administering those nameservers.

The problem: when queried for a record underneath ag.gov. which does not exist, these nameservers do not return a proper NXDOMAIN response; instead, they don't answer at all.  For example:

% dig +norec @ns1.usda.gov thissubdomaindoesnotexist.ag.gov a

; <<>> DiG 9.10.6 <<>> +norec @ns1.usda.gov thissubdomaindoesnotexist.ag.gov a
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

For comparison, here's an example of correct behavior from a different nameserver:

% dig +norec @ns1.google.com thissubdomaindoesnotexist.google.com a

; <<>> DiG 9.10.6 <<>> +norec @ns1.google.com thissubdomaindoesnotexist.google.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5935
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;thissubdomaindoesnotexist.google.com. IN A

google.com.		60	IN	SOA	ns1.google.com. dns-admin.google.com. 616068496 900 900 1800 60

;; Query time: 192 msec
;; WHEN: Fri Mar 15 22:20:41 CDT 2024
;; MSG SIZE  rcvd: 115

The practical trouble this causes has to do with an increasingly popular DNS privacy feature called QNAME Minimization, which depends upon authoritative DNS servers like yours responding in a standards-compliant way to queries like

_.ag.gov IN A
_.ars.ag.gov IN A
_.tucson.ars.ag.gov IN A

in order to eventually obtain the real answer for e.g. www.tucson.ars.ag.gov IN A in a privacy-preserving way.

Because ns1.usda.gov and ns2.usda.gov do not respond to those intermediate queries (allowing them to time out), recursive nameservers which implement QNAME Minimization will in general not be able to successfully resolve www.tucson.ars.ag.gov, thus preventing many people from reaching that website.

This came to my attention today because the University of Illinois uses the very popular ISC BIND nameserver which has enabled QNAME Minimization by default since version 9.14 (which was released in 2019), and I received a trouble ticket from a student on our campus who is unable to browse the www.tucson.ars.ag.gov website.

Please let me know if you have any questions.  You can read more about the feature at https://www.isc.org/blogs/qname-minimization-and-privacy/


David Zych (he/him)
Lead Network Service Engineer

University of Illinois Urbana-Champaign
Office of the Chief Information Officer
Technology Services

Under the Illinois Freedom of Information Act any written communication to or from university employees regarding university business is a public record and may be subject to public disclosure.

More information about the dns-operations mailing list