Google DNS on 8.8.8.8 not showing selected domains

[martinwb...@gmail.com]

Several websites I manage have been working OK for ages.  Now, and for the last couple of weeks,  bbbra.uk  sfmes.co.uk and would-france.co.uk no longer show in the google DNS at 8.8.8.8

However it is correctly registered and works fine on other DNS servers (eg virgin media)

I have checked with MXTOOLBOX which reports all OK and likewise on several other DNS testers.  I have checked with Fasthosts support (the host for these sites) and they confirm that all DNS is in order at our end.  They have had a ticket and investigated the problem and cannot find any malfunction at our end.

So as there are no explanatory messages for the omission anywhere, it is impossible to see a way forward

Any suggestions? 

(both reports done in the last 10 minutes but have been this way for weeks)

EG  google DNS

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\martin>nslookup sfmes.co.uk

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

*** Request to google-public-dns-a.google.com timed-out

C:\Users\martin>

However this loads ok on virgin media DNS

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Martin>nslookup sfmes.co.uk

Server:  cache1.service.virginmedia.net

Address:  194.168.4.100

Non-authoritative answer:

Name:    sfmes.co.uk

Address:  88.208.249.25

C:\Documents and Settings\Martin>

Martin

[Alex Dupuy]

bbbra.uk is not a registered domain 

Checking on dns.google.com, the name servers for the other two don't appear to be responding from the single IP address given for their name servers:

$ checkdelegation sfmes.co.uk

parent zone co.uk:

(dig sfmes.co.uk. @dns1.nic.uk. @dns2.nic.uk. @dns3.nic.uk. @dns4.nic.uk. @nsa.nic.uk. @nsb.nic.uk. @nsc.nic.uk. @nsd.nic.uk.)

sfmes.co.uk. 172800 NS ns1.sfmes.co.uk.

sfmes.co.uk. 172800 NS ns2.sfmes.co.uk.

ns1.sfmes.co.uk. 172800 A 88.208.249.25

ns2.sfmes.co.uk. 172800 A 88.208.249.25

$ checkdelegation would-france.co.uk

parent zone co.uk:

(dig would-france.co.uk. @dns1.nic.uk. @dns2.nic.uk. @dns3.nic.uk. @dns4.nic.uk. @nsa.nic.uk. @nsb.nic.uk. @nsc.nic.uk. @nsd.nic.uk.)

would-france.co.uk. 172800 NS ns1.would-france.co.uk.

would-france.co.uk. 172800 NS ns2.would-france.co.uk.

ns1.would-france.co.uk. 172800 A 88.208.248.73

ns2.would-france.co.uk. 172800 A 88.208.248.73

Result for sfmes.co.uk/A with DNSSEC validation:

{
  "Status": 2,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": false,
  "CD": false,
  "Question": [
    {
      "name": "sfmes.co.uk.",
      "type": 1
    }
  ],
  "Comment": "Name servers did not respond [88.208.249.25]."
}

Result for would-france.co.uk/A with DNSSEC validation:

{
  "Status": 2,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": false,
  "CD": false,
  "Question": [
    {
      "name": "would-france.co.uk.",
      "type": 1
    }
  ],
  "Comment": "Name servers did not respond [88.208.248.73]."
}

You need to have multiple name servers that are able to respond to queries from recursive resolvers; I recommend that you look into setting up secondary DNS service from one of the several services that provide this for free.

[martinwb...@gmail.com]

Alex 

Many thanks your note

Firstly my bad, brrra.uk is the name of the other domain - but I guess the same result you found would apply.

Now there has been no break of service on the server at all for several weeks at all, not even a server restart so there is no possible outage on that service; unless google refuses to serve a DNS for a domain that does not have two separate DNS servers.  Is that possible?

I see from your results that the DNS did not respond.  However, still we have

• virgin media doesn't have any problem and apparently neither do all other users of the websites not on google DNS
• full test on MXtoolsbox doesn't have any problem (https://mxtoolbox.com/SuperTool.aspx?action=mx%3abrrra.uk&run=toolpage) 
• http://dnsviz.net/d/brrra.uk/dnssec/   and the others do not have any problem
  

So the question is why does your test have a problem.  If you were using the google DNS within the investigation to find the server then clearly DNS doesn't work so it would defeat the test.  However from somewhere you got to the correct IP addresses for the domains.

So the nub of the question is why did the server appear or actually not respond. 

I can do a ping 88.208.248.73 and get a response. Can you?  If not please could you provide a tracert.  

One thing that might stop you getting through is perhaps the firewall on the server.  What is your IP address so I can check if it has been blocked. I have already checked the nslookup for the three _netblocks used by google and can confirm none of these are blocked.  

Does the fault you encounter also occur when doing a test on an environment completely clear of google's infrastructure?

Kind regards

Martin 

[martinwb...@gmail.com]

Alex thanks for the reply

Sorry domain name brrra.uk should have been what I typed, but I guess your response would have been the same.

I find that mysteriously the google dns is now working.

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\martin>nslookup sfmes.co.uk

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Non-authoritative answer:

Name:    sfmes.co.uk

Address:  88.208.249.25

C:\Users\martin>

Considering the number of other identical sounding DNS problems on other tickets, is this not a suggestion that there is something a bit flakey with the google dns service?

This is not an outage I would like to recur so any understanding of what has been going on would be appreciated.  At the very least, surely google could actually respond electronically with a detailed explanation of the difficulty it was having.  Eg web based url on google somewhat akin to nslookup+tracert  but which provides some diagnostics that might lead to an understanding of this issue

Martin

[Alex Dupuy]

There are several possible reasons that Google Public DNS resolvers might not get any response from the single name server while other services would.

One would be a routing problem between our network and yours. This problem can occur with any DNS client, and is one of the main reasons that Internet RFCs recommend (and many testing tools warn) that you should not have a single DNS server, and that your DNS servers should be on independent networks.

The other might be that your single DNS server was getting too many (duplicate?) requests from our name servers, which can happen if it is slow to respond and clients send multiple requests on 8.8.8.8 and 8.8.4.4 and queries are load balanced on multiple resolvers that end up appearing to be from the same IP address. This can cause firewalls to block traffic and DNS name servers that implement response rate limiting (RRL) to drop replies. Explicitly allowing all IP address ranges (https://developers.google.com/speed/public-dns/faq#locations) used by Google Public DNS and exempting them from RRL and firewall blocking can help prevent these problems.