-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add retry logic to DNS that attempts to retry against a public resolver. Ensure that report indicates level of confidence in the correctness of the result. #41
Comments
Did EXO assessment on a E3 tenant (Test Tenant#5)- most policies worked fine but had an intermittent issue with Policy 2.2. In some of the tests, the policy errored with GetSpfRecord command failure. This maybe DNS lookup failures on the test environment - but I could not consistently reproduce the issue. The tenant had 12 domains - may need some additional testing and improved error handling to identify transient issues. |
I recommend we create an issue to enhance the DNS request code for SPF, DKIM, and DMARC. Transient issues are to be expected with DNS and our code currently isn't built to handle that appropriately. We should add a re-try mechanism so that for any failed query (other than for an NXDOMAIN) the query gets re-tried. Also in favor of additional testing. |
Recommendation is to add an issue to create or re-create issue to look at adding a DNS retry to the current automation to account for potential intermittent DNS failures. |
I believe the issue is related to where the agency runs the script. Querying a domain from internal may hit an internal DNS server that returns a different result than what is served to the public for that domain. This is the case inside CISA. Some orgs will block DNS requests to non-agency DNS servers, so it's not like we could set a public DNS server as the recursive resolver (1.1.1.1, etc). I believe we even require them to prevent this to prevent DNS filtering bypass. This likely also impacts DKIM/DMARC. So figuring that out will be...interesting. |
You're probably right. I tested the |
I rescoped #38 to be about the retries. Its possible those issues are also split horizon issues, though it surprises me a bit. But it is possible they fully claim their own zones and don't think about things like txt records that only matter for inbound traffic. We should discuss in team meeting how we want to rescope these issues and move forward. |
Details of potential fix from duplicate issue. 💡 SummaryEnhance DNS-related code by adding a retry over DoH option. Motivation and contextWe've seen some inconsistent results for tests that explicitly make DNS requests (SPF, DKIM, and DMARC checks), possibly due to networking issues. Adding DoH as a fallback should the traditional DNS request fail improves the odds of successfully making a request. Implementation notesExample of making a DoH call with Powershell:
|
Agency 2 assessment showed a "FAIL" but when looking into the domains flagged by the assessment script, many of which were sub-domains to ones configured in the DNS records hosted by the agency's domain. Agency 2 also mentioned that they noticed two domains that should be approved.
Ethan did check some domains, one did provide a SFT and one provided a “null” output. Ethan also investigated and it could be some weird DNS lookup failures on our end. Maybe we just try to do more testing against tenants with many (think Agency 2 has 60) domains.
The text was updated successfully, but these errors were encountered: