Case of (broken) maharashtra.gov.in Authoritative Name Servers
Maharashtra is a state here in India, which has Mumbai, the financial capital of India, as its capital. maharashtra.gov.in is the official website of the State Government of Maharashtra. We’re going to talk about authoritative name servers serving it (and bunch of child zones under maharashtra.gov.in).
Here’s a simple trace for the main domain:
$ dig +trace maharashtra.gov.in
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +trace maharashtra.gov.in
;; global options: +cmd
. 33128 IN NS j.root-servers.net.
. 33128 IN NS h.root-servers.net.
. 33128 IN NS l.root-servers.net.
. 33128 IN NS k.root-servers.net.
. 33128 IN NS i.root-servers.net.
. 33128 IN NS g.root-servers.net.
. 33128 IN NS f.root-servers.net.
. 33128 IN NS e.root-servers.net.
. 33128 IN NS b.root-servers.net.
. 33128 IN NS d.root-servers.net.
. 33128 IN NS c.root-servers.net.
. 33128 IN NS m.root-servers.net.
. 33128 IN NS a.root-servers.net.
. 33128 IN RRSIG NS 8 0 518400 20250704050000 20250621040000 53148 . pGxGZftwj+6VNTSQtstTKVN95Z7/b5Q8GSjRCXI68GoVYbVai9HNelxs OGIRKL4YmSrsiSsndXuEsBuvL9QvQ+qbybNLkekJUAiicKYNgr3KM3+X 69rsS9KxHgT2T8/oqG8KN8EJLJ8VkuM2PJ2HfSKijtF7ULtgBbERNQ4i u2I/wQ7elOyeF2M76iEOa7UGhgiBHSBqPulsbpnB//WbKL71yyFhWSk0 tiFEPuZM+iLrN2qBsElriF4kkw37uRHq8sSGcCjfBVdkpbb3/Sb3sIgN /zKU17f+hOvuBQTDr5qFIymqGAENA5UZ2RQjikk6+zK5EfBUXNpq1+oo 2y64DQ==
;; Received 525 bytes from 9.9.9.9#53(9.9.9.9) in 3 ms
in. 172800 IN NS ns01.trs-dns.com.
in. 172800 IN NS ns01.trs-dns.net.
in. 172800 IN NS ns10.trs-dns.org.
in. 172800 IN NS ns10.trs-dns.info.
in. 86400 IN DS 48140 8 2 5EE4748C2069B99C98BC39A56881A64AF17CC78711E6297D43AC5A4F 4B5BB6E5
in. 86400 IN RRSIG DS 8 1 86400 20250704050000 20250621040000 53148 . jkCotYosapreoKKPvr9zPOEDECYVe9OtJLjkQbFfTin8uYbm/kdWzieW CkN5sabif5IHTFU4FEVOShfu4DFeUolhNav56TPKjGqEGjQ7qCghpqTj dNN4iY2s8BcJ2ujHwhm6HRfdbQRVoKYQ73UUZ+oWSute6lXWHE9+Snk2 1ZCAYPdZ2s1s7NZhrZW2YXVw/nHIcRl/rHqWIQ9sgUlsd6MwmahcAAG+ v15HG9Q48rCG1A2gJlJPbxWpVe0EUEu8LzDsp+ORqy1pHhzgJynrJHJz qMiYU0egv2j7xVPSoQHXjx3PG2rsOLNnqDBYCA+piEXOLsY3d+7c1SZl w9u66g==
;; Received 679 bytes from 199.7.83.42#53(l.root-servers.net) in 3 ms
maharashtra.gov.in. 900 IN NS ns8.maharashtra.gov.in.
maharashtra.gov.in. 900 IN NS ns9.maharashtra.gov.in.
maharashtra.gov.in. 900 IN NS ns10.maharashtra.gov.in.
maharashtra.gov.in. 900 IN NS ns18.maharashtra.gov.in.
maharashtra.gov.in. 900 IN NS ns20.maharashtra.gov.in.
npk19skvsdmju264d4ono0khqf7eafqv.gov.in. 300 IN NSEC3 1 1 0 - P0KKR4BMBGLJDOKBGBI0KDM39DSM0EA4 NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM
npk19skvsdmju264d4ono0khqf7eafqv.gov.in. 300 IN RRSIG NSEC3 8 3 300 20250626140337 20250528184339 48544 gov.in. Khcq3n1Jn34HvuBEZExusVqoduEMH6DzqkWHk9dFkM+q0RVBYBHBbW+u LsSnc2/Rqc3HAYutk3EZeS+kXVF07GA/A486dr17Hqf3lHszvG/MNT/s CJfcdrqO0Q8NZ9NQxvAwWo44bCPaECQV+fhznmIaVSgbw7de9xC6RxWG ZFcsPYwYt07yB5neKa99RlVvJXk4GHX3ISxiSfusCNOuEKGy5cMxZg04 4PbYsP0AQNiJWALAduq2aNs80FQdWweLhd2swYuZyfsbk1nSXJQcYbTX aONc0VkYFeEJzTscX8/wNbkJeoLP0r/W2ebahvFExl3NYpb7b2rMwGBY omC/QA==
npk19skvsdmju264d4ono0khqf7eafqv.gov.in. 300 IN RRSIG NSEC3 13 3 300 20250718144138 20250619135610 22437 gov.in. mbj7td3E6YE7kIhYoSlDTZR047TXY3Z60NY0aBwU7obyg5enBQU9j5nl GUxn9zUiwVUzei7v5GIPxXS7XDpk7g==
6bflkoouitlvj011i2mau7ql5pk61sks.gov.in. 300 IN NSEC3 1 1 0 - 78S0UO5LI1KV1SVMH1889FHUCNC40U6T TXT RRSIG
6bflkoouitlvj011i2mau7ql5pk61sks.gov.in. 300 IN RRSIG NSEC3 8 3 300 20250626133905 20250528184339 48544 gov.in. M2yPThQpX0sEf4klooQ06h+rLR3e3Q/BqDTSFogyTIuGwjgm6nwate19 jGmgCeWCYL3w/oxsg1z7SfCvDBCXOObH8ftEBOfLe8/AGHAEkWFSu3e0 s09Ccoz8FJiCfBJbbZK5Vf4HWXtBLfBq+ncGCEE24tCQLXaS5cT85BxZ Zne6Y6u8s/WPgo8jybsvlGnL4QhIPlW5UkHDs7cLLQSwlkZs3dwxyHTn EgjNWClhghGXP9nlvOlnDjUkmacEYeq5ItnCQjYPl4uwh9fBJ9CD/8LV K+Tn3+dgqDBek6+2HRzjGs59NzuHX8J9wVFxP7/nd+fUgaSgz+sST80O vrXlHA==
6bflkoouitlvj011i2mau7ql5pk61sks.gov.in. 300 IN RRSIG NSEC3 13 3 300 20250718141148 20250619135610 22437 gov.in. raWzWsQnPkXYtr2v1SRH/fk2dEAv/K85NH+06pNUwkxPxQk01nS8eYlq BPQ41b26kikg8mNOgr2ULlBpJHb1OQ==
couldn't get address for 'ns18.maharashtra.gov.in': not found
couldn't get address for 'ns20.maharashtra.gov.in': not found
;; Received 1171 bytes from 2620:171:813:1534:8::1#53(ns10.trs-dns.org) in 0 ms
;; communications error to 10.187.202.24#53: timed out
;; communications error to 10.187.202.24#53: timed out
;; communications error to 10.187.202.24#53: timed out
;; communications error to 10.187.202.28#53: timed out
;; communications error to 10.187.203.201#53: timed out
;; no servers could be reached
Quick takeaways:
-
5 authoritative NS were listed in the parent zone (gov.in) ie:
- ns8.maharashtra.gov.in.
- ns9.maharashtra.gov.in.
- ns10.maharashtra.gov.in.
- ns18.maharashtra.gov.in.
- ns20.maharashtra.gov.in.
-
No address (no A/AAAA records) could be found for ns18.maharashtra.gov.in and ns20.maharashtra.gov.in. Internet Archive snapshots for bgp.tools at time of writing NS18 and NS20.
-
“communications error to 10.187.202.24#53: timed out”, “communications error to 10.187.202.28#53: timed out” and “communications error to 10.187.203.201#53: timed out” is likely due to RFC1918 records for NS. Ofcourse, they will never respond on public internet.
-
Not in trace, but NS10 has private or empty A/AAAA record against it (detailed further down).
-
The query resolution failed with “no servers could be reached”. Leading to query failure ie we didn’t got any A/AAAA record for that query.
It’s a hit or miss for this query resolution.
Let’s look at NS added in zone itself:
$ dig ns maharashtra.gov.in
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> ns maharashtra.gov.in
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 172
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;maharashtra.gov.in. IN NS
;; ANSWER SECTION:
maharashtra.gov.in. 300 IN NS ns8.maharashtra.gov.in.
maharashtra.gov.in. 300 IN NS ns9.maharashtra.gov.in.
;; ADDITIONAL SECTION:
ns9.maharashtra.gov.in. 300 IN A 10.187.202.24
ns8.maharashtra.gov.in. 300 IN A 10.187.202.28
;; Query time: 180 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Sat Jun 21 23:00:49 IST 2025
;; MSG SIZE rcvd: 115
Pay special attention to “ADDITIONAL SECTION”. Running dig ns9.maharashtra.gov.in and dig ns8.maharashtra.gov.in, return RFC1918 ie private addresses too. This is coming from zone itself, so in-zone A records of NS8 and NS9 point to 10.187.202.28 and 10.187.202.24 respectively.
Cloudflare 1.1.1.1 has a slightly different version:
$ dig ns maharashtra.gov.in @1.1.1.1
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> ns maharashtra.gov.in @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36005
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;maharashtra.gov.in. IN NS
;; ANSWER SECTION:
maharashtra.gov.in. 300 IN NS ns8.
maharashtra.gov.in. 300 IN NS ns10.maharashtra.gov.in.
maharashtra.gov.in. 300 IN NS ns9.
;; Query time: 7 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sun Jun 22 10:38:30 IST 2025
;; MSG SIZE rcvd: 100
The reason for difference between 1.1.1.1 and 9.9.9.9 is in the next section.
Looking at parent zone
Parent zone for it is gov.in. Tucows is operator for gov.in as well as in ccTLD zone:
$ dig ns gov.in +short
ns01.trs-dns.net.
ns01.trs-dns.com.
ns10.trs-dns.org.
ns10.trs-dns.info.
Let’s take a look at what parent zone hold:
$ dig ns maharashtra.gov.in @ns01.trs-dns.net.
; <<>> DiG 9.18.36 <<>> ns maharashtra.gov.in @ns01.trs-dns.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56535
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f13027aa39632404010000006856fa2a9c97d6bbc973ba4f (good)
;; QUESTION SECTION:
;maharashtra.gov.in. IN NS
;; AUTHORITY SECTION:
maharashtra.gov.in. 900 IN NS ns8.maharashtra.gov.in.
maharashtra.gov.in. 900 IN NS ns18.maharashtra.gov.in.
maharashtra.gov.in. 900 IN NS ns10.maharashtra.gov.in.
maharashtra.gov.in. 900 IN NS ns9.maharashtra.gov.in.
maharashtra.gov.in. 900 IN NS ns20.maharashtra.gov.in.
;; ADDITIONAL SECTION:
ns20.maharashtra.gov.in. 900 IN A 52.183.143.210
ns18.maharashtra.gov.in. 900 IN A 35.154.30.166
ns10.maharashtra.gov.in. 900 IN A 164.100.128.234
ns9.maharashtra.gov.in. 900 IN A 103.23.150.89
ns8.maharashtra.gov.in. 900 IN A 103.23.150.88
;; Query time: 28 msec
;; SERVER: 64.96.2.1#53(ns01.trs-dns.net.) (UDP)
;; WHEN: Sun Jun 22 00:00:02 IST 2025
;; MSG SIZE rcvd: 248
The ADDITIONAL SECTION gives a completely different picture. Maybe this was how it was supposed to be, but none of the IPs listed for NS10, NS18 and NS20 are responding to any DNS query.
Assuming NS8 as 103.23.150.88 and NS9 as 103.23.150.89, checking SOA on each gives following:
$ dig soa maharashtra.gov.in @103.23.150.88 +short
ns8.maharashtra.gov.in. postmaster.maharashtra.gov.in. 2013116777 1200 600 1296000 300
$ dig soa maharashtra.gov.in @103.23.150.89 +short
ns8.maharashtra.gov.in. postmaster.maharashtra.gov.in. 2013116757 1200 600 1296000 300
NS8 (which is marked as primary) has serial 2013116777 and NS9 is on serial 2013116757, so looks like the sync (IXFR/AXFR) between primary and secondary is also broken. That’s why NS8 and NS9 are serving different records, evident from the following:
$ dig ns8.maharashtra.gov.in @103.23.150.88 +short
103.23.150.88
$ dig ns8.maharashtra.gov.in @103.23.150.89 +short
10.187.202.28
$ dig ns9.maharashtra.gov.in @103.23.150.88 +short
103.23.150.89
$ dig ns9.maharashtra.gov.in @103.23.150.89 +short
10.187.202.24
$ dig ns maharashtra.gov.in @103.23.150.88 +short
ns9.
ns8.
ns10.maharashtra.gov.in.
$ dig ns maharashtra.gov.in @103.23.150.89 +short
ns9.maharashtra.gov.in.
ns8.maharashtra.gov.in.
$ dig ns10.maharashtra.gov.in @103.23.150.88 +short
10.187.203.201
$ dig ns10.maharashtra.gov.in @103.23.150.89 +short
# No/empty response ^
To summarize:
- Primary and secondary NS aren’t in sync. Serials aren’t matching, while NS8 and NS9 are responding differently for queries.
- NSes have A records with private address, not reachable on the internet, so lame servers.
- Incomplete NS address, not even FQDN in some cases.
- Difference between NS delegated in parent zone and NS added in actual zone.
- Name resolution works on in very particular order (in my initial trace it failed).
Initially, I thought of citing RFCs, but I don’t really think it’s even required.
1.1.1.1, 8.8.8.8 and 9.9.9.9 are handling (lame servers, this probelm) well, handing out the A record for the main website, so dig maharashtra.gov.in would mostly pass and that was the reason I started this post with +trace to recurse the complete zone to show the problem.
For reference later:
$ dig maharashtra.gov.in @8.8.8.8 +short
103.8.188.109
I have sent the following email to address listed in SOA:
Subject - maharashtra.gov.in authoritative DNS servers not reachable
Hello,
I wanted to highlight the confusing state of maharashtra.gov.in authoritative DNS servers.
Parent zone list following as name servers for your DNS zone:
- ns8.maharashtra.gov.in.
- ns18.maharashtra.gov.in.
- ns10.maharashtra.gov.in.
- ns9.maharashtra.gov.in.
- ns20.maharashtra.gov.in.
Out of these, ns18 and ns20 don’t have public A/AAAA records and are thus not reachable. ns10 keeps on shuffling between NO A record and 10.187.203.201 (private, not reachable address). ns8 keeps on shuffling between 103.23.150.88 and 10.187.202.28 (private, not reachable address). ns9 keeps on shuffling between 103.23.150.89 and 10.187.202.24 (private, not reachable address).
These are leading to long, broken, or no DNS resolution for the website(s). Can you take a look at the problem?
Regards, Sahil
I’ll update here if I get a response. Hopefully, they’ll listen and fix their problem.