Russia Government Domains Analysis (2021-07)

We analyzed 500 domain names (that have SOA records) related to the Russian Federation government and military. We identified 53 failed checks for a total of 21,990 anomalies. Our test suite has around 100 checks for DNS, DNSSEC, and domains over IPv4, IPv6, TCP, and UDP, based on best practices, recommendations, and requirements from registeries, IETF RFCs, and government mandates. This is a summary of some of that analysis and highlights of the significant findings.

The following domains had servers that returned an overloaded SERVFAIL:

  • fasi.gov.ru — ns.gov.ru (95.173.128.77) (Later was REFUSED)
  • mari.ru — ns.chtts.ru (89.151.128.40)
  • archives.gov.ru — ns.gov.ru (95.173.128.77)
  • fssp.gov.ru — ns.gov.ru (95.173.128.77)
  • szfo.gov.ru — ns2.spb.rsnet.ru (95.173.151.198)
  • murman.ru — ns.murman.ru (185.246.64.167)

The following 41 domains worked, but at least one of their parent nameservers timed out over UDP: 129.173.95.in-addr.arpa 130.173.95.in-addr.arpa 131.173.95.in-addr.arpa 132.173.95.in-addr.arpa 133.173.95.in-addr.arpa 134.173.95.in-addr.arpa 135.173.95.in-addr.arpa 136.173.95.in-addr.arpa 137.173.95.in-addr.arpa 138.173.95.in-addr.arpa 139.173.95.in-addr.arpa 140.173.95.in-addr.arpa 141.173.95.in-addr.arpa 142.173.95.in-addr.arpa 143.173.95.in-addr.arpa 80.226.194.in-addr.arpa adm44.ru alania.gov.ru asv.org.ru dfo.gov.ru dumask.ru emc-hotel.ru fish.gov.ru fsb.ru fsin.gov.ru gost.ru lenobl.ru pskov.ru rezerv.gov.ru rk08.ru tuva.ru udmurt.ru (two servers timed out) urfo.gov.ru vskhakasia.ru xn--80advqd.xn--p1ai xn---9-6kc0bn.xn--p1ai xn--9-7sb1ak.xn--p1ai xn--9--8kc1cvf.xn--p1ai xn--9-8sb9aze.xn--p1ai zsko.ru zsperm.ru

The following domains worked with UDP (over IPv4) but entirely failed for TCP only. In all cases, all of their parent nameservers timed out over TCP. 6.207.91.in-addr.arpa 7.207.91.in-addr.arpa 172.214.91.in-addr.arpa 237.201.91.in-addr.arpa admlip.ru fsb.ru gov14.ru investyakutia.com mininnovation.ru mintrans.gov.ru mintrans.ru mp-it.ru pgusakha.ru rcitsakha.ru sakha.gov.ru sakhaset.ru src-sakha.ru xn----7sbbabxwqh2bjnhv2b.xn--p1ai xn--80aaabttog8aimgu9a.xn--p1ai xn--80aay6abc0a2e.xn--p1ai xn--h1aae6adbt6e.xn--p1ai xn--h1adyd2de.xn--p1ai xn----otbbh6ajgt8fe.xn--p1ai yakutia2122.ru yakutia-pki.ru zsko.ru

duma72.ru's ns.duma72.ru (109.233.225.36) nameserver timed out or resulted in overloaded FORMERR if the query uses default standard EDNS.

Several domains had nameservers that returned REFUSED:

  • 103.190.194.in-addr.arpa tengwar.vtt.net (217.23.80.2)
  • anticartel.ru ns2.fas.gov.ru (194.226.26.39)
  • belregion.ru ns-2.belnet.ru (82.151.97.50)
  • cert.gov.ru ns.kiae.ru (144.206.14.14)
  • eao.ru ns1.rostelecom.ru (87.226.162.62)
  • eao.ru ns1.ttkdv.ru (188.93.128.254)
  • economy.gov.ru ns0.dtln.ru (178.20.234.206)
  • economy.gov.ru ns2.dtln.ru (95.131.31.206)
  • fmba.gov.ru ns4-cloud.nic.ru (185.42.137.111)
  • fmba.gov.ru ns8-cloud.nic.ru (194.58.196.62)
  • gorod-elista.ru ns5.hosting.reg.ru (31.31.194.32)
  • gorod-elista.ru ns6.hosting.reg.ru (31.31.196.15)
  • gshra.ru ns2.gshra.ru (188.120.235.130)
  • mari.ru ns.mv.ru (89.239.139.130)
  • mcx.gov.ru ns2.mcx.ru (46.31.153.2)
  • mcx.ru ns2.mcx.ru (46.31.153.2)
  • mintrud.gov.ru ns4-l3.nic.ru (91.217.20.5)
  • mintrud.gov.ru ns8-l3.nic.ru (91.217.21.5)
  • mosoblduma.ru ns4.nic.ru (194.226.96.8)
  • mosoblduma.ru ns8.nic.ru (193.232.130.14)
  • rostrud.gov.ru ns.rostrud.ru (212.45.0.5)
  • rst.gov.ru ns2.msk.rsnet.ru (95.173.144.133)
  • ufacity.info ns4-l2.nic.ru (91.217.20.1)
  • ulgov.ru ns2.ulgov.com (91.232.131.18)
  • ved.gov.ru ns0.dtln.ru (178.20.234.206)
  • ved.gov.ru ns2.dtln.ru (95.131.31.206)
  • xn--80a8ah.xn--p1ai ns2.fas.gov.ru (194.226.26.39)
  • xn--80aay6abc0a2e.xn--p1ai ns2.sakha.gov.ru (91.201.237.4) (Except it worked over TCP)
  • xn--80aqawjfcav.xn--p1ai ns2.fas.gov.ru (194.226.26.39)
  • xn--90ab5f.xn--p1ai ns2.gldn.net (194.67.2.109)
  • xn--90ab5f.xn--p1ai ns3.gldn.net (194.67.7.1)

Four domains had nameservers without an A address record:

  • xn--90ad8ap2d.xn--p1ai — ns2.tomsk.gov.ru (probably should be just "ns")
  • pnzreg.ru — mail.oep-penza.ru
  • minzdrav.gov.ru — ns.citep.ru
  • duma72.ru — ns4-l8.nic.ru

167 domains with at least two working IPv4 UDP nameservers didn't have them in at least two separate topological networks.

21 domains had nameservers that returned a Recursion Available (RA) flag. All of these were open resolvers. Some only worked without EDNS though — implying these are possibly way out of date servers, potentially with security issues.

  • 146.120.90.153 (ns1.fsrar.gov.ru.) fsrar.gov.ru
  • 146.120.90.154 (ns2.fsrar.gov.ru.) fsrar.gov.ru
  • 151.252.105.132 (ns1.kubzsk.ru.) kubzsk.ru
  • 185.15.98.131 (ns1.fms.gov.ru.) fms.gov.ru
  • 185.15.98.132 (ns2.fms.gov.ru.) fms.gov.ru
  • 194.8.130.170 (ns1.xperts.ru.) dumask.ru
  • 195.34.224.198 (ns1.admlr.lipetsk.ru.) admlip.ru (UDP only)
  • 195.34.233.162 (ns.admlr.lipetsk.ru.) admlip.ru (UDP only)
  • 195.68.252.31 (ns.gost.ru.) gost.ru
  • 195.68.252.31 (ns.gost.ru.) rst.gov.ru
  • 212.67.25.149 (gas-u.government-nnov.ru.) government-nnov.ru (No EDNS)
  • 46.61.244.105 (ns1.fad.ru.) fda.gov.ru
  • 5.141.28.78 (ns.admhmao.ru.) admhmao.ru
  • 62.76.12.1 (ns1.sevtelecom.ru.) 92.gov.ru sevastopol.gov.ru sev.gov.ru
  • 83.242.155.170 (ns.ac.gov.ru.) ac.gov.ru cea.gov.ru open.gov.ru pmolimp.ru xn----8sbmmlgncfbgqis7m.xn--p1ai (No EDNS)
  • 84.42.96.71 (ns.gosnadzor.ru.) gosnadzor.gov.ru gosnadzor.ru (No EDNS)
  • 84.42.96.76 (ns1.gosnadzor.ru.) gosnadzor.ru (No EDNS)
  • 84.54.226.50 (ns3.xperts.ru.) dumask.ru (No EDNS)
  • 92.50.230.189 (ns1.fishcom.ru.) fish.gov.ru (No EDNS)
  • 95.167.17.137 (ns2.fad.ru.) fda.gov.ru

Only 11 of the domains had DNSSEC signatures. One of these, adygheya.ru, used non-recommended RSA/SHA-1 and ECC-GOST algorithms.

374 (out of 500) of the domains didn't work over IPv6. (Not listing them all here.) Another five worked for TCP (via IPv6) but not UDP: investvolgorechensk.ru veteran-volgorechensk.ru volgadm.ru volgorechenskedusys.ru zsuo.ru

183 of the domains had a nameserver that didn't have an AAAA address record.

The following domains have IPv6 nameservers that returned REFUSED:

  • 103.190.194.in-addr.arpa tengwar.vtt.net.id (2a02:e840:11::2)
  • economy.gov.ru ns0.dtln.ru.id (2a01:ba80:d:e::206)
  • economy.gov.ru ns2.dtln.ru.id (2a01:ba80:d:f::206)
  • egov-buryatia.ru ns2.ispvds.com.id (2a01:230:2:75::5)
  • fmba.gov.ru ns4-cloud.nic.ru.id (2a01:3f0:400::62)
  • fmba.gov.ru ns8-cloud.nic.ru.id (2a01:3f1:862::53)
  • investvolgorechensk.ru ns2.ispvds.com.id (2a01:230:2:75::5) (UDP only)
  • tvoivolgorechensk.ru ns2.ispvds.com.id (2a01:230:2:75::5)
  • ved.gov.ru ns0.dtln.ru.id (2a01:ba80:d:e::206)
  • ved.gov.ru ns2.dtln.ru.id (2a01:ba80:d:f::206)
  • veteran-volgorechensk.ru ns2.ispvds.com.id (2a01:230:2:75::5) (UDP only)
  • volgadm.ru ns2.ispvds.com.id (2a01:230:2:75::5) (UDP only)
  • volgorechenskedusys.ru ns2.ispvds.com.id (2a01:230:2:75::5) (UDP only)

cap.ru's ns.cap.ru does not have AAAA glue in the parent delegation and it resolves to ::1. The nameserver IPv6 should not be a private address, an IETF reserved address, nor a local loopback address.

This is a small sample of our research. As far as we know, we have the most exhaustive DNS audit suite, with more checks being added. What do you use to check your DNS?