From
http://mxtoolbox.com/DNSLookup.aspx, and selecting "MX Lookup" from
the "DNS" drop-down list, I get for "
va.gov":
mx20.va.gov 152.131.26.44
It doesn't query ALL record types from the nameserver, just the type you
specify. The "DNS Lookup" choice returns the A record. The above log
doesn't say on which record type the query failed. When I specified a
CNAME lookup at mxtoolbox, that lookup failed. Well, there may not be a
redirection in their nameserver. They don't have to use one if they
don't want to. Your own NNTP provider (
aioe.org) doesn't have any CNAME
records, either.
http://en.wikipedia.org/wiki/CNAME_record
I don't get the SERVFAIL error that you do; however, I might not be
running the same nslookup program. I'm using Windows 7. You didn't say
what you use so you might be under some *NIX variant using its flavor of
nslookup. When I use "server 8.8.8.8" (or 8.8.4.4) I get timeouts on
the "set q=any" for the
va.gov request; however, when I use my own ISP's
DNS server then I get:
server 8.8.8.8
> set q=any
>
va.gov
Server: UnKnown
Address: 192.168.1.1
Non-authoritative answer:
va.gov nameserver =
ns1x.va.gov
va.gov nameserver =
ns4x.va.gov
va.gov nameserver =
ns3x.va.gov
va.gov nameserver =
ns2x.va.gov
va.gov ??? unknown type 46 ???
ns3x.va.gov internet address = 152.132.16.7
From
http://en.wikipedia.org/wiki/List_of_DNS_record_types, record type
46 is RRSIG (DNSSEC signature). Here's something I happened to find on
my ISP's DNS site about .gov domains and DNSSEC:
http://dns.comcast.net/
With the US gov't in financial sequester mode, yeah, I can see this
still not getting addressed after 3 months. DNSSEC is an old spec but
not adopted until a couple years ago and still not yet overwhelmingly
implemented (maybe all of 4% to 7% of DNS servers employ DNSSEC; see
https://labs.ripe.net/Members/gih/counting-dnssec).
So it looks like Google's DNS doesn't like requests on ANY record type.
My ISP's DNS and OpenDNS (208.67.222.222) work okay. I'm assuming you
are just using OpenDNS without an account (which could change results
depending on filters you define in an account). I stopped using OpenDNS
because they are spammers. Instead of returning a 404 error for a typo
on a URL or for non-existent domains, they redirect you to their
"helper" search page so they can generate some revenue from there. Yes,
if you have an account (which means installing their DNS updater client
so they can associate your account with your current IP address) at
OpenDNS then you can disable this redirection except that also means
losing several other features which was why you created an account so
you would have them. They punish you for disabling their redirection.
Tis also why I don't use Norton DNS or Ultra DNS. My own ISP tried this
revenue-generating trick but gave their customers an option to disable
it (which I did). When Verisign tried this trick to redirect to the
revenue-generating search page on any .com lookup fails, they got so
heavily blasted that they ceased. Yet OpenDNS, Norton, some ISPs, and
other DNS providers still use this trick to "help" you find what they
think where you meant to go. I use my ISP's DNS server (with "helper"
redirection disabled) and Google's DNS because those are more properly
behaved servers.
Google DNS does not work (for now). You didn't say WHICH of the Norton
DNS servers you used. They all start with 198.153.[192/194] and end
with: .40 for Security, .50 for Security and Pornography, and .60 for
Security, Pornography, and Non-Family Friendly (I'm assuming
"Pornography" is really "Anti-Pornography"). Whichever I use (.40, .50,
or .60), they all result in timeouts for "set q=any" on
va.gov, so
Norton DNS is behaving like Google DNS on "set q=any" in that respect.
So it looks like DNS servers are not created equal. In fact, the ones
that I use (ISP and Google) are both non-authoritative servers. When I
use Google DNS (8.8.8.8) on a dig, I get:
Dig
va....@8.8.8.8 ...
Non-authoritative answer
Recursive queries supported by this server
Nameserver has a problem and can't talk right now
When I use my ISP's DNS server, I get:
Dig
va....@75.75.76.76 ...
Non-authoritative answer
Recursive queries supported by this server
Query for
va.gov type=255 class=1
va.gov NS (Nameserver)
ns2x.va.gov
va.gov NS (Nameserver)
ns3x.va.gov
va.gov NS (Nameserver)
ns4x.va.gov
va.gov NS (Nameserver)
ns1x.va.gov
va.gov Unrecognised resource record (46)
Although I tried to use the "set q=soa" directive to get at the
authoritative DNS server for my ISP (
comcast.net) which is
69.252.250.103, trying to get the record returns "Query refused.
Nameserver won't talk to me for policy reasons". Oh well, I don't know
an authoritative DNS server for my use to see how the dig results might
vary. So results vary depending on the DNS server I use (and can use).
Oh, and back to your query "MX records for
va.gov are broken", well,
they aren't. Your own "set q=mx" returned the MX record so it does
work.
*Oops, I see I'm responding to our volumous nymshifter changing his nym*
*in every newsgroup: (Spam|Virus|...) (Guy|Man). Should've checked*
*that first. Bye bye*