nsa.gov Offline During a Few Hours

Net, People / Places, Security, Websites Leave a comment

NSA Logo

The name servers hosting the National Security Agency (aka nsa.gov) were reported unavailable during a few hours around May the 15th. How is this possible?

Let start some investigations using dig. When you query a root-server and ask for the name servers (NS records) of the nsa.gov zone, you receive the following information:

$ dig nsa.gov ns

; <<>> DiG 9.3.1 <<>> nsa.gov ns
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6836
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;nsa.gov.                       IN      NS

;; ANSWER SECTION:
nsa.gov.                85807   IN      NS      romulus.ncsc.mil.
nsa.gov.                85807   IN      NS      topscale.nsa.gov.

;; ADDITIONAL SECTION:
romulus.ncsc.mil.       85807   IN      A       144.51.5.2
topscale.nsa.gov.       86035   IN      A       144.51.68.4

;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 22 21:50:52 2008
;; MSG SIZE  rcvd: 110

Next step, resolve the two received name servers:

$ host romulus.ncsc.mil
romulus.ncsc.mil has address 144.51.5.2
$ host topscale.nsa.gov.
topscale.nsa.gov has address 144.51.68.4

Finally, query the network information @ ARIN:

$ whois -h whois.arin.net 144.51.5.2

OrgName:    National Computer Security Center
OrgID:      NCSC-3
Address:    9800 Savage Road
City:       Fort George G. Meade
StateProv:  MD
PostalCode:
Country:    US

NetRange:   144.51.0.0 - 144.51.255.255
CIDR:       144.51.0.0/16
NetName:    NCSC
NetHandle:  NET-144-51-0-0-1
Parent:     NET-144-0-0-0-0
NetType:    Direct Assignment
NameServer: ROMULUS.NCSC.MIL
NameServer: ZOMBIE.NCSC.MIL
NameServer: BARRIER.NCSC.MIL
NameServer: GRIZZLY.NRL.NAVY.MIL
Comment:
RegDate:
Updated:    1997-11-17

RTechHandle: AMM32-ARIN
RTechName:   McCool, Anna M.
RTechPhone:  +1-301-688-5267
RTechEmail:  amm@romulus.ncsc.mil

# ARIN WHOIS database, last updated 2008-05-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Both name servers are on the same network! What does it mean? In case of routing issue (bad BGP announce), ACL or configuration issue (blacklist the whole 144.51.0.0/16), nsa.gov will simply be offline! Never put your name servers on the same subnet nor the same ISP!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.