[dns-operations] Google DNS + domain = not resolvable, other DNS + domain = resolvable
Chris Thompson
cet1 at cam.ac.uk
Fri Jan 26 18:00:05 UTC 2018
On Jan 26 2018, Zack Piper wrote:
>We're trying to resolve the domain mazuma.co.th, resolving the domain (A
>records) on any of the following nameservers result in a SERVFAIL:
>
>8.8.8.8: returned SERVFAIL or otherwise no records
[...]
>212.94.34.34: returned SERVFAIL or otherwise no records
>
>Of the 200 servers I tested, the above couldn't resolve mazuma.co.th
>
>The rest can resolve it to 107.180.126.240
This is a (rather straightforward) DNSSEC configuration error. There is a
DS record for mazuma.co.th in the parent zone co.th:
mazuma.co.th. 7200 IN DS 2371 13 2 17E84A970ECAC1463F5DACD5F886115517D461E7350E526D85A1F376A06BB315
but no DNSKEY records in the zone itself (at ns{41,42}.domaincontrol.com).
See e.g. http://dnsviz.net/d/mazuma.co.th/dnssec/
>So I guess the SERVFAIL ones feed from Google? What I'm curious to know
>is: does Google's public DNS blacklist malicious websites? The website
>itself doesn't seem to be blocked on other things I checked.
>
>Anyway, hopefully someone can shed some light on why Google's DNS can't
>resolve mazuma.co.th but almost everything else can
Validating resolvers will detect mazuma.co.th as broken and give SERVFAIL.
Non-validating ones will not.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the dns-operations
mailing list