abuse.ch DNSSEC Outage: 2017-02-18

Updated: February 18, 2017

Overview

This page gives some details on the abuse.ch DNSSEC outage on February 18, 2017. abuse.ch runs multiple important blocklists that target the Zeus botnet, ransomware and more. It has many users.

Timeline / DNSViz

• 2017-02-18 09:33:13 UTC — feodotracker.abuse.ch/A bogus
• 2017-02-18 09:33:14 UTC — www.abuse.ch/A bogus
• 2017-02-18 09:33:23 UTC — mail.abuse.ch/A bogus
• 2017-02-18 09:33:48 UTC — ransomwaretracker.abuse.ch/A bogus
• 2017-02-18 09:34:02 UTC — sslbl.abuse.ch/A bogus
• 2017-02-18 09:35:45 UTC — zeustracker.abuse.ch/A bogus

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, and instead supports DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries for abuse.ch during this outage.

$ dig zeustracker.abuse.ch @resolver1.opendns.com.

; <<>> DiG 9.9.5-9+deb8u9-Debian <<>> zeustracker.abuse.ch @resolver1.opendns.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12353
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zeustracker.abuse.ch. IN A

;; ANSWER SECTION:
zeustracker.abuse.ch. 16 IN A 104.155.11.149

;; Query time: 0 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sat Feb 18 09:35:47 UTC 2017
;; MSG SIZE rcvd: 65

---

With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec zeustracker.abuse.ch @8.8.8.8

; <<>> DiG 9.9.5-9+deb8u9-Debian <<>> +dnssec zeustracker.abuse.ch @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41789
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;zeustracker.abuse.ch. IN A

;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Feb 18 09:35:47 UTC 2017
;; MSG SIZE rcvd: 49

Logfile examples

• [1487410479] unbound[5053:0] info: validation failure <www.abuse.ch. A IN>: signatures from unknown keys from 204.13.250.4
• [1487410545] unbound[5053:0] info: validation failure <zeustracker.abuse.ch. A IN>: signatures from unknown keys from 208.78.71.4
• [1487410587] unbound[5053:0] info: validation failure <abuse.ch. A IN>: signatures from unknown keys from 208.78.71.4
• [1487410619] unbound[5053:0] info: validation failure <feodotracker.abuse.ch. A IN>: signatures from unknown keys from 208.78.70.4
• [1487410637] unbound[5053:0] info: validation failure <mail.abuse.ch. A IN>: signatures from unknown keys from 204.13.250.4
• [1487410657] unbound[5053:0] info: validation failure <ransomwaretracker.abuse.ch. A IN>: signatures from unknown keys from 208.78.71.4
• [1487410671] unbound[5053:0] info: validation failure <sslbl.abuse.ch. A IN>: signatures from unknown keys from 204.13.250.4