DNS Lookups fail on Google resolver, works on others.

54 views

Skip to first unread message

s.raj...@epicwebstudios.com

unread,

Oct 3, 2018, 9:20:58 AM10/3/18

to public-dns-discuss

We have various domains that we have had reported as unable to access when using Google's DNS servers.

After researching, we have found that almost all other resolver DNS servers return the correct information, but Google's fails.

When attempting to query without DNSSEC validation, we get the correct result, but others return the correct result even with DNSSEC, so we don't know why this would be failing:

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 pay.epicwebstudios.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18958
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pay.epicwebstudios.com.        IN  A

;; Query time: 77 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Oct  2 14:11:51 2018
;; MSG SIZE  rcvd: 40

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 pay.epicwebstudios.com +cd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38980
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pay.epicwebstudios.com.        IN  A

;; ANSWER SECTION:
pay.epicwebstudios.com. 14399   IN  A   66.147.239.128

;; Query time: 186 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Oct  2 14:12:10 2018
;; MSG SIZE  rcvd: 56

; <<>> DiG 9.8.3-P1 <<>> @4.2.2.1 pay.epicwebstudios.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5281
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pay.epicwebstudios.com.        IN  A

;; ANSWER SECTION:
pay.epicwebstudios.com. 14400   IN  A   66.147.239.128

;; Query time: 24 msec
;; SERVER: 4.2.2.1#53(4.2.2.1)
;; WHEN: Tue Oct  2 14:12:26 2018
;; MSG SIZE  rcvd: 56

Any ideas?

Thanks!

Alex Dupuy

unread,

Oct 10, 2018, 11:33:28 AM10/10/18

to public-dns-discuss

Your DNSSEC zone had bad NSEC3 records that proved the nonexistence of the pay.epicwebstudios.com subdomain, as shown in the Errors section of http://dnsviz.net/d/pay.epicwebstudios.com/W7WS8g/dnssec/

You have since fixed that (http://dnsviz.net/d/pay.epicwebstudios.com/W7YYfw/dnssec/), so presumably all is working now.

In the future, try using the dns.google.com query tool as it can provide some limited diagnostic comments on reasons for resolution failure.

Also, be sure to check against other DNSSEC-validating public resolvers like 9.9.9.9 and 1.1.1.1.

Reply all

Reply to author

Forward

0 new messages