[dns-operations] Google DNS + domain = not resolvable, other DNS + domain = resolvable
Stephane Bortzmeyer
bortzmeyer at nic.fr
Sat Jan 27 10:18:35 UTC 2018
On Fri, Jan 26, 2018 at 05:12:10PM +0000,
Zack Piper <zack at apertron.com> wrote
a message of 40 lines which said:
> So I guess the SERVFAIL ones feed from Google? What I'm curious to
> know is: does Google's public DNS blacklist malicious websites? The
> website itself doesn't seem to be blocked on other things I checked.
As mentioned in the excellent responses from Viktor and Chris, DNSviz
is your friend. Always use it first. See for instance the test of
apertron.com <http://dnsviz.net/d/apertron.com/WmxRQA/dnssec/>
Zonemaster would have helped, too
<https://zonemaster.net/test/ecdad5dd5d7b9101>
With dig, the first test to do is to retry with +cd (Checking
Disabled). If it works with +cd and servfails without, you can be sure
it is a DNSSEC problem. Here, with my resolver (BIND, unrelated to
Google) :
% dig A mazuma.co.th
; <<>> DiG 9.10.3-P4-Debian <<>> A mazuma.co.th
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26378
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mazuma.co.th. IN A
;; Query time: 796 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 27 11:09:24 CET 2018
;; MSG SIZE rcvd: 41
% dig +cd A mazuma.co.th
; <<>> DiG 9.10.3-P4-Debian <<>> +cd A mazuma.co.th
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43489
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mazuma.co.th. IN A
;; ANSWER SECTION:
mazuma.co.th. 586 IN A 107.180.126.240
;; AUTHORITY SECTION:
mazuma.co.th. 7187 IN NS ns42.domaincontrol.com.
mazuma.co.th. 7187 IN NS ns41.domaincontrol.com.
;; ADDITIONAL SECTION:
ns41.domaincontrol.com. 115099 IN A 216.69.185.21
ns41.domaincontrol.com. 115099 IN AAAA 2607:f208:206::15
ns42.domaincontrol.com. 115099 IN A 208.109.255.21
ns42.domaincontrol.com. 115098 IN AAAA 2607:f208:302::15
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 27 11:09:37 CET 2018
;; MSG SIZE rcvd: 200
> Anyway, hopefully someone can shed some light on why Google's DNS can't
> resolve mazuma.co.th but almost everything else can
No, not "almost everything else", all the validating resolvers see the
same. There are much more validating resolvers than Google. In some
countries like Sweden or Czech republic, the majority of users is
behind a validating resolver. In the US, Comcast, which is, I believe,
the largest ISP, also validates. In France, Free (second or third ISP)
does it as well.
Here, with one hundred RIPE Atlas probes in the US:
% atlas-resolve -r 100 -c US -t A mazuma.co.th
[107.180.126.240] : 49 occurrences
[ERROR: SERVFAIL] : 43 occurrences
[TIMEOUT(S)] : 5 occurrences
[ERROR: FORMERR] : 2 occurrences
Test #11036322 done at 2018-01-27T10:11:13Z
I doubt that Google Public DNS is used for half of these probes...
More information about the dns-operations
mailing list