The domain apps.anatel.gov.br is not being resolved

luish.faria · February 27, 2023, 12:44pm

I don’t know if it is the right place to report it, but I couldn’t find another one.
The domain from the title is resolving using google’s dns, but not with Cloudflare. I’m observing this problem for some months now.

--- google
 ~  dig @8.8.8.8 apps.anatel.gov.br                                                                                          Mon Feb 27 09:20:00 2023

; <<>> DiG 9.10.6 <<>> @8.8.8.8 apps.anatel.gov.br
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61524
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;apps.anatel.gov.br.		IN	A

;; ANSWER SECTION:
apps.anatel.gov.br.	1266	IN	A	200.0.81.97

;; Query time: 53 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 27 09:29:57 -03 2023
;; MSG SIZE  rcvd: 63

 ~  dig @1.1.1.1 apps.anatel.gov.br                                                                                          Mon Feb 27 09:29:57 2023




-- cloud flare
; <<>> DiG 9.10.6 <<>> @1.1.1.1 apps.anatel.gov.br
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21810
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 16 74 69 6d 65 20 6c 69 6d 69 74 20 65 78 63 65 65 64 65 64 ("..time limit exceeded")
;; QUESTION SECTION:
;apps.anatel.gov.br.		IN	A

;; Query time: 32 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Feb 27 09:30:01 -03 2023
;; MSG SIZE  rcvd: 72

DarkDeviL · February 27, 2023, 2:13pm

anatel.gov.br has a broken set up with their name servers, which is the cause of this.

Their current set up, with pointing all their name servers towards the exact same network, is against Internet’s RFC2182 / Best Curent Practice (BCP-16), and doesn’t allow for proper redundancy / failover.

They are listing two IPv4 addresses, and two IPv6 addresses as being their name servers, where the two IPv6 addresses do not respond to any DNS queries at the moment.

So that’s the thing causing the flapping state, when the DNS randomly (or more permanently) crosses their broken name server IPvt6 addresses, you will see what you see here.

If you have any other ways of reaching out to anatel.gov.br, I would suggest that you contact them and tell them that their IPv6 name servers are broken, which is making the state of their domain flap around between working and not-working, as that would likely speed up the process of getting it fixed (more) permanently.