[dns-operations] Google DNS + domain = not resolvable, other DNS + domain = resolvable

Zack Piper zack at apertron.com
Sat Jan 27 13:09:47 UTC 2018 

Hi Stephane,



Stephane Bortzmeyer <bortzmeyer at nic.fr> writes:

> On Fri, Jan 26, 2018 at 05:12:10PM +0000,
>  Zack Piper <zack at apertron.com> wrote 
>  a message of 40 lines which said:
>
>> So I guess the SERVFAIL ones feed from Google? What I'm curious 
>> to
>> know is: does Google's public DNS blacklist malicious websites? 
>> The
>> website itself doesn't seem to be blocked on other things I 
>> checked.
>
> As mentioned in the excellent responses from Viktor and Chris, 
> DNSviz
> is your friend. Always use it first. See for instance the test 
> of
> apertron.com <http://dnsviz.net/d/apertron.com/WmxRQA/dnssec/>
>
> Zonemaster would have helped, too
> <https://zonemaster.net/test/ecdad5dd5d7b9101>
>
> With dig, the first test to do is to retry with +cd (Checking
> Disabled). If it works with +cd and servfails without, you can 
> be sure
> it is a DNSSEC problem. Here, with my resolver (BIND, unrelated 
> to
> Google):
>
> % dig A mazuma.co.th
>
> ; <<>> DiG 9.10.3-P4-Debian <<>> A mazuma.co.th
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26378
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, 
> ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;mazuma.co.th.		IN A
>
> ;; Query time: 796 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Jan 27 11:09:24 CET 2018
> ;; MSG SIZE  rcvd: 41
>
> % dig +cd A mazuma.co.th
>
> ; <<>> DiG 9.10.3-P4-Debian <<>> +cd A mazuma.co.th
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43489
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, 
> ADDITIONAL: 5
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;mazuma.co.th.		IN A
>
> ;; ANSWER SECTION:
> mazuma.co.th.		586 IN A 107.180.126.240
>
> ;; AUTHORITY SECTION:
> mazuma.co.th.		7187 IN	NS ns42.domaincontrol.com.
> mazuma.co.th.		7187 IN	NS ns41.domaincontrol.com.
>
> ;; ADDITIONAL SECTION:
> ns41.domaincontrol.com.	115099 IN A 216.69.185.21
> ns41.domaincontrol.com.	115099 IN AAAA 2607:f208:206::15
> ns42.domaincontrol.com.	115099 IN A 208.109.255.21
> ns42.domaincontrol.com.	115098 IN AAAA 2607:f208:302::15
>
> ;; Query time: 4 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Jan 27 11:09:37 CET 2018
> ;; MSG SIZE  rcvd: 200

Thanks for the info, I'll use dnsviz in the future. Thanks for the 
`dig`
command to disable checking too.

>> Anyway, hopefully someone can shed some light on why Google's 
>> DNS can't
>> resolve mazuma.co.th but almost everything else can
>
> No, not "almost everything else", all the validating resolvers 
> see the
> same. There are much more validating resolvers than Google. In 
> some
> countries like Sweden or Czech republic, the majority of users 
> is
> behind a validating resolver. In the US, Comcast, which is, I 
> believe,
> the largest ISP, also validates. In France, Free (second or 
> third ISP)
> does it as well.
>
> Here, with one hundred RIPE Atlas probes in the US:
>
> % atlas-resolve -r 100 -c US -t A mazuma.co.th 
> [107.180.126.240] : 49 occurrences 
> [ERROR: SERVFAIL] : 43 occurrences 
> [TIMEOUT(S)] : 5 occurrences 
> [ERROR: FORMERR] : 2 occurrences 
> Test #11036322 done at 2018-01-27T10:11:13Z
>
> I doubt that Google Public DNS is used for half of these 
> probes...

Ah, I see.

Honestly, I used a sample from https://public-dns.info/ to test 
the domain. I'll use the Atlas probes in the future.

Thanks,


-- 
Zack Piper             System administrator
           https://apertron.net

More information about the dns-operations mailing list