Www.maybank2e.com doesn't resolve on 1.1.1.1 with SERVFAIL error

tech32 · April 19, 2022, 8:51am

Relevant tests and outputs below:

$ dig www.maybank2e.com @1.1.1.1

; <<>> DiG 9.18.1 <<>> www.maybank2e.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62098
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (time limit exceeded)
;; QUESTION SECTION:
;www.maybank2e.com.		IN	A

;; Query time: 6 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Apr 19 16:46:11 +08 2022
;; MSG SIZE  rcvd: 71

$ dig www.maybank2e.com @1.0.0.1

; <<>> DiG 9.18.1 <<>> www.maybank2e.com @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55464
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (time limit exceeded)
;; QUESTION SECTION:
;www.maybank2e.com.		IN	A

;; Query time: 6 msec
;; SERVER: 1.0.0.1#53(1.0.0.1) (UDP)
;; WHEN: Tue Apr 19 16:46:36 +08 2022
;; MSG SIZE  rcvd: 71

$ dig www.maybank2e.com @8.8.8.8

; <<>> DiG 9.18.1 <<>> www.maybank2e.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29352
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.maybank2e.com.		IN	A

;; ANSWER SECTION:
www.maybank2e.com.	2	IN	CNAME	e3dnkth.x.incapdns.net.
e3dnkth.x.incapdns.net.	3	IN	A	45.60.126.208

;; Query time: 13 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Tue Apr 19 16:46:59 +08 2022
;; MSG SIZE  rcvd: 98

$ dig +short CHAOS TXT id.server @1.1.1.1
"KUL"

$ dig +short CHAOS TXT id.server @1.0.0.1
"KUL"

Prefer not to share my ip, sorry about that

Do let me know if there’s any other info I can share.

Thanks!

soldier_21 · April 19, 2022, 10:17am

I’ll ping the DNS wizards for you @mvavrusa @milk

domjh · April 19, 2022, 10:34am

One of the nameservers on that domain (EXTDNS2.MAYBANK.COM.MY) seems not to resolve, not sure if that has anything to do with it.

KianNH · April 19, 2022, 10:35am

Seems to be an issue with one of the domain’s nameservers not existing in DNS (specifically extdns2.maybank.com.my) which also causes a DNSSEC failure.

; EDE: 1 (Unsupported DNSKEY Algorithm): (failed to verify e3dnkth.x.incapdns.net. A: unsupported key size, DNSKEY incapdns.net., id = 51528)
; EDE: 22 (No Reachable Authority): (time limit exceeded)

The domain has 3 nameservers.

maybank2e.com.		172800	IN	NS	extdns.maybank.com.my.
maybank2e.com.		172800	IN	NS	extdns2.maybank.com.my.
maybank2e.com.		172800	IN	NS	extdns3.maybank.com.my.

extdns2.maybank.com.my doesn’t resolve to anything and during the DNSSEC chain lookup, it causes a failure.

maybank2e.com zone: The following NS name(s) did not resolve to address(es): extdns2.maybank.com.my

com to maybank2e.com: The following NS name(s) were found in the delegation NS RRset (i.e., in the com zone), but not in the authoritative NS RRset: extdns2.maybank.com.my

https://dnsviz.net/d/maybank2e.com/dnssec/

Kay5143 · April 19, 2022, 1:57pm

Primary name server in the SOA… “maybank.gridmaster”, what’s that supposed to mean,?

Also, extdns2.maybank.com.my is MIA

tech32 · April 19, 2022, 2:16pm

Thanks a bunch for debugging this. So am I right that extdns2.maybank.com.my being missing is causing DNSSEC errors which is then what is causing 1.1.1.1 to not return the record due to the failure to verify the DNSSEC chain?

This is the corporate banking portal my business uses and noticed recently they’ve been not reachable on my home network which uses 1.1.1.1 . That being said, noticed that 8.8.8.8 happily returns the ip address of the server.

Just curious, in this case, is 8.8.8.8’s behaviour correct or is 1.1.1.1?

Side note, will be submitting the above in an email to bank IT support Let’s see how long it takes for them to fix it.

tech32 · April 19, 2022, 2:29pm

So, a weird development:

1.1.1.1 is now returning an IP for www.maybank2e.com but extdns2.maybank.com.my still seems to be offline

$ dig www.maybank2e.com @1.1.1.1

; <<>> DiG 9.18.1 <<>> www.maybank2e.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6428
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 1 (Unsupported DNSKEY Algorithm): (failed to verify e3dnkth.x.incapdns.net. A: unsupported key size, DNSKEY incapdns.net., id = 51528)
;; QUESTION SECTION:
;www.maybank2e.com.		IN	A

;; ANSWER SECTION:
www.maybank2e.com.	35	IN	CNAME	e3dnkth.x.incapdns.net.
e3dnkth.x.incapdns.net.	15	IN	A	45.60.126.208

;; Query time: 10 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Apr 19 22:29:02 +08 2022
;; MSG SIZE  rcvd: 202

Why would it be working again now if nothing seems to have changed?

KianNH · April 19, 2022, 2:39pm

Run it enough times & it might not timeout when trying to query the AWOL nameserver.

If it times out, you get ; EDE: 22 (No Reachable Authority): (time limit exceeded).

If it doesn’t, you get ; EDE: 1 (Unsupported DNSKEY Algorithm): (failed to verify e3dnkth.x.incapdns.net. A: unsupported key size, DNSKEY incapdns.net., id = 51528) and the records back.

As for the nitty-gritty technical details as to how closely the resolvers follow the specs, or which flags they use by default for queries, I’m not sure if that’s documented anywhere.

mvavrusa · April 19, 2022, 5:35pm

The nameservers are in maybank.com.my, which has this NS set at the registry:

;; AUTHORITY SECTION:
maybank.com.my.     	86400	IN	NS	extdns2.maybank.com.my.
maybank.com.my.     	86400	IN	NS	ns1-122.akam.net.
maybank.com.my.     	86400	IN	NS	extdns.maybank.com.my.
maybank.com.my.     	86400	IN	NS	ns1-61.akam.net.
maybank.com.my.     	86400	IN	NS	asia2.akam.net.

;; ADDITIONAL SECTION:
extdns.maybank.com.my.	86400	IN	A	202.162.17.34
extdns2.maybank.com.my.	86400	IN	A	203.153.92.36

And the extdns2.maybank.com.my doesn’t work as you have noticed, so if your query is unlucky to pick it it’s most likely not going to work, but retry should work again. I’ll make a ticket to see if we can improve this without negatively impacting the resolution times.

system · April 22, 2022, 5:35pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.