[RndTbl] very strange DNS errors

Trevor Cordes trevor at tecnopolis.ca
Wed Apr 20 16:58:51 CDT 2016

On 2016-04-20 Adam Thompson wrote:
> Without taking the time to examine these carefully, I'd guess that
> those domains are being served off less-than-stellar DNS servers, and

Theo found most were hosted at godaddy (I guess that what
"domaincontrol.com" is?)... does that make your above statement less
(or more!?!) likely?  :-)

> problem. Examine the chain of authoritative servers for each and I'll
> bet you find some commonalities. Also there are dozens of DNS "lint"
> tools that will help you track down other people's errors as well as
> your own. Best guess without testing: domain has 3-4 servers listed
> at gTLD, only 2-3 of those are authoritative for the domain, and

I'm digging into things looking at the available tools as you and Theo
pointed to.

It's very bizarre, I just ran a quick test just now just manually
typing dig <domain> one by one.  On all but 1 of the domains I listed
originally, dig immediately returned SERVFAIL on my first try!  And
when I up-arrowed 2s later and hit return to retry, each of those then
succeeded (NOERROR).

The SERVFAIL ones return very quickly, all within 99-177ms.  One
outlier attempt that gave me SERVFAIL returned 1ms... I guess it had a a
negative result cached (probably a sendmail queued for it).

Before I delve too much into this I'd sure love if someone else who
runs BIND as recursive resolver (or maybe even dnsmasq, as long as it
does its own recursion) could just try my +short test a few times to see
if they can reproduce.  Just cut & paste, takes 2 secs.... I have been
known to have, shall we say, "customized" configs on relevant things
like BIND and iptables.

> >rndc flush
> >dig +short sportmanitoba.ca
> >dig +short gymcan.org
> >dig +short brandoneagles.ca
> >dig +short interactivegym.org
> >dig +short artscouncil.mb.ca

For kicks I added in 5 more domains that I never have problems with,
like well known companies, certain user groups, and one that I control
the DNS server of.  I reran the test 11 times, about 10s apart.  In
6/11 tries I got 1 SERVFAIL.  The others had no errors.  All 6 failures
were for the above domains, never once the "known good" ones I just
added.  So that's encouraging.  (The failures were on sportmanitoba.ca
x2, artscouncil.mb.ca x3, brandoneagles.ca x1.)

So the theory of "badly behaved name servers beyond my control" looks
like it might be correct.

Assume for a moment we are positive that is the case, should I be
contacting someone on the other side about fixing this?  I doubt the
domain holders know/care about such technical things, but one would
think the DNS hosting company might?  (I certainly would want to know!)


More information about the Roundtable mailing list