[dns-operations] Google DNS + domain = not resolvable, other DNS + domain = resolvable

Chris Thompson cet1 at cam.ac.uk
Fri Jan 26 18:00:05 UTC 2018

On Jan 26 2018, Zack Piper wrote:

>We're trying to resolve the domain mazuma.co.th, resolving the domain (A
>records) on any of the following nameservers result in a SERVFAIL:
> returned SERVFAIL or otherwise no records
> returned SERVFAIL or otherwise no records
>Of the 200 servers I tested, the above couldn't resolve mazuma.co.th
>The rest can resolve it to

This is a (rather straightforward) DNSSEC configuration error. There is a
DS record for mazuma.co.th in the parent zone co.th:

mazuma.co.th.  7200  IN   DS   2371 13 2 17E84A970ECAC1463F5DACD5F886115517D461E7350E526D85A1F376A06BB315

but no DNSKEY records in the zone itself (at ns{41,42}.domaincontrol.com).
See e.g. http://dnsviz.net/d/mazuma.co.th/dnssec/

>So I guess the SERVFAIL ones feed from Google? What I'm curious to know
>is: does Google's public DNS blacklist malicious websites? The website
>itself doesn't seem to be blocked on other things I checked.
>Anyway, hopefully someone can shed some light on why Google's DNS can't
>resolve mazuma.co.th but almost everything else can

Validating resolvers will detect mazuma.co.th as broken and give SERVFAIL.
Non-validating ones will not. 

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the dns-operations mailing list