Bank domain does not resolve

Zero Trust 1.1.1.1
1

We have a local bank which is at bellco dot org. It doesn’t resolve on 1.1.1.1, but resolves on others. Searching other issues indicated it might be a DNSSEC misconfiguration. However, I check it at verisignlabs dnssec-analyzer and there seem to be no problems.

Any thoughts on why it does not show up in Cloudflared DNS, and what I could tell the company to fix?

2

Works on my end using 1.1.1.1 DNS :thinking:

Screenshot 2022-09-15 at 22-19-04 Bellco Credit Union
Screenshot 2022-09-15 at 22-19-04 Bellco Credit Union1920×1059 194 KB

DNSSEC is enabled and fine so far.

Screenshot 2022-09-15 at 22-19-08 DNSSEC Analyzer - bellco.org
Screenshot 2022-09-15 at 22-19-08 DNSSEC Analyzer - bellco.org594×838 47.6 KB

3

Interesting. When I do it from the command line, it doesn’t work:

ntech@server:~$ nslookup bellco.org 1.1.1.1
Server:         1.1.1.1
Address:        1.1.1.1#53

** server can't find bellco.org: SERVFAIL

ntech@server:~$ nslookup bellco.org 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   bellco.org
Address: 23.185.0.3
Name:   bellco.org
Address: 2620:12a:8000::3
Name:   bellco.org
Address: 2620:12a:8001::3
4

I wonder if the local ISP is maybe blocking something, or if there’s something on the network :thinking:

From my end:

$ nslookup bellco.org 1.1.1.1
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
Name:   bellco.org
Address: 23.185.0.3
Name:   bellco.org
Address: 2620:12a:8000::3
Name:   bellco.org
Address: 2620:12a:8001::3

dig trace is also ok.

Or wait a bit, maybe not so :confused:

Testing online, Cloudflare failed to respond? :thinking:

1 Like
5

Yes, I’m getting the same failure with dig on 1.1.1.1, but working on 8.8.8.8:

ntech@server:~$ dig @1.1.1.1 bellco.org

; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> @1.1.1.1 bellco.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29888
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for open-techs.com.)
;; QUESTION SECTION:
;bellco.org.                    IN      A

;; Query time: 2215 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Sep 15 14:33:20 MDT 2022
;; MSG SIZE  rcvd: 93

ntech@server:~$ dig @8.8.8.8 bellco.org

; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> @8.8.8.8 bellco.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11429
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;bellco.org.                    IN      A

;; ANSWER SECTION:
bellco.org.             454     IN      A       23.185.0.3

;; Query time: 19 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Thu Sep 15 14:33:37 MDT 2022
;; MSG SIZE  rcvd: 55
6

Thanks for the site, I’m seeing those results that Cloudflare isn’t returning anything for this domain:

bellco_cloudflare_resolve
bellco_cloudflare_resolve748×766 31.6 KB

7

Works also fine for me:

dig @1.1.1.1 bellco.org

; <<>> DiG 9.16.27 <<>> @1.1.1.1 bellco.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42371
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;bellco.org.                    IN      A

;; ANSWER SECTION:
bellco.org.             896     IN      A       23.185.0.3

;; Query time: 28 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Sep 15 23:20:33 CEST 2022
;; MSG SIZE  rcvd: 55

Have you tried restarting your computer? If it still doesn’t work, would you mind changing your DNS servers to 162.159.36.1 and 162.159.46.1, and try again?

Hope it helps!

8

Thanks, I tried, and it seems to be complaining about a missing DNSKEY on the domain:

ntech@server:~$ dig @162.159.36.1 bellco.org

; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> @162.159.36.1 bellco.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54584
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for open-techs.com.)
;; QUESTION SECTION:
;bellco.org.                    IN      A

;; Query time: 1795 msec
;; SERVER: 162.159.36.1#53(162.159.36.1) (UDP)
;; WHEN: Thu Sep 15 15:28:38 MDT 2022
;; MSG SIZE  rcvd: 93

But then not everyone is getting it :confused:

9

I’ve run a test on a different website, and it showed some warnings and errors complaining, mainly, about DNSSEC.

https://dnsviz.net/d/bellco.org/dnssec/

Hope it helps!

2 Likes
10

Old algorithm 7 being used, which …

Ye, a bit weird :confused:

1 Like
11

Thanks @fritex and @Lumito ! I’ve taken the information you’ve found and sent it to the bank. Hopefully their web team can address it.

1 Like
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.