Swisscom’s DNS Servers do not support lookup of domains with DNSSEC enabled

The Internet’s Domain Name System (DNS) serves the role of a phone book of the Internet – it translates domain names into numeric IP addresses which can be processed by computers.

The original DNS is not secure:

Email servers use DNS to route their messages, which means they’re vulnerable to security issues in the DNS infrastructure. In September 2014 researchers at CMU found email supposed to be sent through Yahoo!, Hotmail, and Gmail servers routing instead through rogue mail servers. Attackers were exploiting a decades-old vulnerability in the Domain Name System (DNS)—it doesn’t check for credentials before accepting an answer.

DNSSEC works by adding to existing DNS records cryptographic signatures which can be then used to verify that a requested DNS record comes from the authoritative name server and has not been altered en-route, such as in a man-in-the-middle attack.

Fortunately, AWS Route 53 supports natively DNSSEC and it’s a matter of minutes to set it up – see the guide.

Setting up DNSSEC on and accessing it via Swisscom’s Router

Yesterday evening, I enabled DNSSEC on my domain in the AWS Route 53, and then today when I checked in my office in Zurich, Switzerland connected via fiber optics to the Swisscom networks how the website loads, all browsers showed just blank page and “The page is inaccessible” or “The address is invalid”.

Looking up the domain from PowerShell showed

(base) PS C:\WINDOWS\system32> nslookup
Server:  internetbox.home
Address:  2a02:1210:283c:1000:7a29:edff:fe46:e330

*** internetbox.home can't find Server failed

We have troubleshooted with the AWS Support and we learnt that:

dig @
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> @
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2859
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
  • if you change the Internet Box’s DNS server to the Google Public DNS Server in the Swisscom’s Internet Box 2, all works well
  • After you disable the DNSSEC on a domain, it takes 2 days for it to propagate across the internet but there are multiple additional caches in place
    • The Swisscom’s Internet Box 2 has its own cache which needs to be flushed by pressing the button in the Internet Box’s control panel
    • Windows computers have their own cache which can be flushed with the command: ipconfig /flushdns

Lessons Learned

  1. Do not enable DNSSEC on domains which may be accessible from legacy internet infrastructure
  2. Use only latest versions of routers, and operating system
  3. Choose your internet provider carefully