[RndTbl] very strange DNS errors

Theodore Baschak theodore at ciscodude.net
Wed Apr 20 22:34:12 CDT 2016 

> On Apr 20, 2016, at 4:58 PM, Trevor Cordes <trevor at tecnopolis.ca> wrote:
> 
> On 2016-04-20 Adam Thompson wrote:
>> Without taking the time to examine these carefully, I'd guess that
>> those domains are being served off less-than-stellar DNS servers, and
> 
> Theo found most were hosted at godaddy (I guess that what
> "domaincontrol.com" is?)... does that make your above statement less
> (or more!?!) likely?  :-)
> 
>> problem. Examine the chain of authoritative servers for each and I'll
>> bet you find some commonalities. Also there are dozens of DNS "lint"
>> tools that will help you track down other people's errors as well as
>> your own. Best guess without testing: domain has 3-4 servers listed
>> at gTLD, only 2-3 of those are authoritative for the domain, and
> 
> I'm digging into things looking at the available tools as you and Theo
> pointed to.
> 
> It's very bizarre, I just ran a quick test just now just manually
> typing dig <domain> one by one.  On all but 1 of the domains I listed
> originally, dig immediately returned SERVFAIL on my first try!  And
> when I up-arrowed 2s later and hit return to retry, each of those then
> succeeded (NOERROR).
> 
> The SERVFAIL ones return very quickly, all within 99-177ms.  One
> outlier attempt that gave me SERVFAIL returned 1ms... I guess it had a a
> negative result cached (probably a sendmail queued for it).
> 
> Before I delve too much into this I'd sure love if someone else who
> runs BIND as recursive resolver (or maybe even dnsmasq, as long as it
> does its own recursion) could just try my +short test a few times to see
> if they can reproduce.  Just cut & paste, takes 2 secs.... I have been
> known to have, shall we say, "customized" configs on relevant things
> like BIND and iptables.
> 
>>> rndc flush
>>> dig +short sportmanitoba.ca
>>> dig +short gymcan.org
>>> dig +short brandoneagles.ca
>>> dig +short interactivegym.org
>>> dig +short artscouncil.mb.ca


I just ran this from home on my caching bind resolver about 12 times and I had 1 dig +short gymcan.org fail out of all of the runs, and it came back almost immediately, not a 5s timeout.
I am my own internet provider for myself (in terms of IP access) as of last Tuesday, so I know I'm not seeing Shaw or MTS middleware messing with my packets.


Theodore Baschak - AS395089 - Hextet Systems
https://ciscodude.net/ - https://hextet.systems/
https://theodorebaschak.com/ - http://mbix.ca/

More information about the Roundtable mailing list