DNS Lame Delegations Report 2019-11
DNS Institute performs detailed audits of DNS domain names and nameservers for the US government, S&P Global Top 100 Banks, and Fortune 500 (US) companies. This analyzes for requirements for DNS registries, government mandates, and Internet specifications.
This report provides examples of lame delegations as detected in November 2019. Lame delegations are defined nameservers that should be authoritative but don't provide valid answers. The definition varies and this report provides examples for multiple definitions.
- "A lame delegations exists when a nameserver is delegated responsibility for providing nameservice for a zone (via NS records) but is not performing nameservice for that zone ..." — RFC 1912 Common DNS Operational and Configuration Errors.
- Queries to a secondary nameserver for a host should always result in an "authoritative" response — RFC 1912.
- "A lame delegation ... happens when a name server is listed in the NS records for some domain and in fact it is not a server for that domain." — RFC 1713 Tools for DNS debugging.
- "A lame delegation has occured when a parent zone delegates authority for a child zone to a server that appears not to think that it is authoritative for the child zone in question." — RFC 1612 DNS Resolver MIB Extensions.
- Authoritative server for a domain doesn't provide AA bit response for AAAA queries, but does for A queries. (So only lame for certain types.) — RFC 4074 Common Misbehavior Against DNS Queries.
- "... name server in a zone's NS RRSet ... is not authoritative for the given zone" — RFC 4697 Observed DNS Resolution Misbehavior.
- "... a zone is delegated to ... nameservers without those nameservers being configured ahead of time to answer authoritatively for that zone ..." — RFC 7535 AS112 Redirection Using DNAME.
The following examples were seen in November 2019. Some of the problems have been resolved, but a few still exist.
No address for delegated NS target
If the NS record cannot be looked up, then the server itself cannot even be found. This may also happen if no glue is configured in the zone. The target of NS record must have at least one address record.
For example. Banco Santander's santandergroup.es has a NS of hermes.santander.com which does not exist in DNS (NXDOMAIN). Another example is Royal Bank of Canada's rbcbank.ca. All if its delegated NS names do not resolve (all NXDOMAIN). In addition, rbccm.ca's NS nameservers also don't exist in DNS.
ON Semiconductor's amis.com's NS nameserver of ux1.isu.edu did not exist. At a different time, amis.com was entirely down (when all nameservers returning SERVFAILs) causing one of onsemi.com's nameservers (dns.amis.com) unable to resolve — so a lame delegation causing a lame delegation.
AES's aesgener.com has a NS record of ns2.gener.cl which returns an NXDOMAIN.
Apple had multiple domains — lojaapple.com.br, onlineapplestore.com, mac.rio, livephotos.rio, macstore.rio, macbook.rio, mac.me, shop-different.org, and shopdifferent.org — which have NS nameservers that don't have corresponding addresses. Also qapple.com and online-apple-store.com had corresponding glue records (provided by the com servers), but the servers timed out.
As an IPv6 versus IPv4 example, Ford Motor's ford.com has two NS targets that don't have A addresses but do have AAAA addresses. Another IPv6 example is China Everbright Bank Co.'s cebbank.com's delegated NS name of dns8.cebbank.com doesn't have an A record but does have an AAAA record.
(Note that we also detected other problems related to this that could be utilized to take over or compromise network services for a domain for United Natural Foods and for General Motors.)
NS target recursively points to itself or parent
A lame delegation could be caused by a NS nameserver delegation which is its own parent or points to one of its peers (with same repeated delegations).
For example, State Street Corp.'s spdrumobile.com's nameservers don't provide authoritative answers but delegates again to the top-level root servers. Parker-Hannifin's parker-hannifin.com has two nameservers that return the root servers. One of Alliance Data Systems's adsdmz.net and alliancedatasystems.com nameservers (ns2.alliancedata.com at 220.127.116.11) does the same thing.
The server simply may not exist or no name service has been deployed which results in a connection timeout (or connection refused), so another server may be tried. This is a weak definition of lame delegation. The problem becomes evident when every delegated server for a domain is not accessible.
For example. Banco Santander's santandergroup.es has a NS of perseus.bancosantander.es (18.104.22.168) which times out (for both TCP and UDP). (This is significant since its only other nameserver delegation is also lame.)
All of Morgan Stanley's morganstanleydeanwitter.com's nameservers timed out. And all of Industrial and Commercial Bank of China's icbcbr.com.br nameservers timed out.
Another example is Centene's healthnet.com. Its nameserver ns3.dns.healthnet.com at 22.214.171.124 also times out (TCP and UDP).
(The audit detected many other examples of servers having timeouts, especially with TCP or IPv6, but these are not listed here in this report.)
Nameserver doesn't know about it
A non-iterating nameserver doesn't know about the domain so returns a NXDOMAIN.
An example was Sumitomo Mitsui Financial Group Inc.'s hsjc.jp domain. Temporarily two of its JP parent domains (e.dns.jp and f.dns.jp) were returning NXDOMAINs.
Nameserver refuses to answer
A listening nameserver responding with a REFUSED implies that the delegated nameserver is misconfigured or the wrong authoritative nameserver is defined. Commonly this is due to a default policy to restrict answering queries for unknown domains or clients.
For example, AES's aes.com's nameserver ns1.aes.com at 126.96.36.199 refused queries for it. And ON Semiconductor's amis.com NS nameservers cbru.br.ns.els-gms.att.net (188.8.131.52) and dbru.br.ns.els-gms.att.net (184.108.40.206) return REFUSED.
Parker-Hannifin's parker-hannifin.com has two nameservers that return REFUSED. (Its other nameservers return root server delegations so effectively the domain is unusable.)
REFUSED was also returned by nameservers for Levi Strauss's levistrauss.com; U.S. Bancorp's usbankpayment.com, usbcpssolutions.com, usbpayments.com, and usbankpayments.com; Charter Communications' timewarnercablebusinessclass.com; Nationwide Mutual Insurance Company's nationwideinvestments.com and futurehealth.net; Macy's macysinc.com; Universal Health Services' aikenregional.org, coronaregional.com, and doctorshosplaredo.org; Quest Diagnostics' qdx.com; Owens & Minor's owens-minor.com; Univar's univar.com and chemdist.com; State Street Corp.'s spdrsetfs.com; First Data's samsclubms.com and trsrecoveryservices.com; Westpac Banking Corp.'s westpac.com.fj and westpac.co.nz; Société Générale's aldautomotive.kz and societegenerale.bj; Shinhan Financial Group's shinhangroup.kr; BFA Sociedad Tenedora de Acciones's bfatenedoradeacciones.es; Bank of Nova Scotia's scotiabanktt.com; and Amazon's amazonsilk.com.
Nameserver returns a non-authoritative answer
The delegated nameserver must respond with the AA bit set.
An example is Hana Financial Group's hana-aamc.com. One of its delegated nameservers — ns4.whoisdomain.kr at 220.127.116.11 — doesn't provide an authoritative (AA bit) response.
Some other examples include Centene's myhealthnetca.com, healthnetarizona.com, and healthnetoregon.com domains where their delegated nameservers don't know about them authoritatively.
Nameserver returns a failure
Due to a server error, the nameserver responds with SERVFAIL or FORMERR. These response codes are overloaded and the client side cannot easily know from a single query what caused the errors.
An example was CaixaBank's lacaixa.com. One of it is delegated nameservers was artemis.ttd.net (18.104.22.168) returned SERVFAILs. Banco Santander's santandergroup.com domain also uses the same problematic nameserver.
Another example was ON Semiconductor's amis.com which has two nameservers dns1.namecheaphosting.com and dns2.namecheaphosting.com which returned SERVFAILs.
And another example is Alliance Data Systems's adsdmz.net and alliancedatasystems.com nameserver of ns1.alliancedata.com (at 22.214.171.124) which returns a SERVFAIL.
Other SERVFAILs were seen from nameservers for Bed Bath & Beyond's harmondiscount.com; Public Service Enterprise Group's pseg.com; Global Partner's globalp.com; KB Financial Group's kookminbank.com; Shinhan Financial Group's shinhangroup.co.kr, shinhanbank.co.kr, shinhan-corp.com, and shinhangn.com; United Overseas Bank's uisgroup.com.sg; Resona Holdings' perdania.co.id; Société Générale's bfvsg.mg; and various US government domains: usfk.mil, ipac.gov, ntsb.gov, afhsc.mil, and osde.gov.
Some other scenarios exist for defining a lame server, such as NS records pointing to CNAMEs and DS records not placed with NS records. These are outside of the scope of this research. This report also doesn't share about what to do about lame servers nor how resolvers may behave when they detect one of the above issues.
The DNS Institute attempted to contact many of these companies about these issues in November. If you have questions about any of these domains or research, please contact us. For information about the comprehensive DNS analysis service, please visit https://www.dnsinstitute.com/dns-monitoring/.