Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs
All, Could someone from Google public DNS and from GoDaddy contact me off-list? I'm getting SERVFAIL when trying to resolve any record in any domain whose NSs are pdns01.domaincontrol.com/pdns02.domaincontrol.com/pdns05.domaincontrol.com/pdns06.domaincontrol.com (GoDaddy premium DNS), only when using Google's 8.8.8.8 / 8.8.4.4 resolvers, from multiple locations/networks. Resolution is normal using various other public and non-public resolvers, as well as by querying the authoritative name servers directly. You can look at targetly.co as one example (should be just an A record to 184.168.221.38 but getting SERVFAIL when querying 8.8.8.8). Thanks -- Erik Levinson CTO, Uberflip 416-900-3830 1183 King Street West, Suite 100 Toronto ON M6K 3C5 www.uberflip.com
On Sun, Dec 07, 2014 at 12:01:40PM -0500, Erik Levinson <erik.levinson@uberflip.com> wrote a message of 25 lines which said:
I'm getting SERVFAIL when trying to resolve any record in any domain whose NSs are pdns01.domaincontrol.com/pdns02.domaincontrol.com/pdns05.domaincontrol.com/pdns06.domaincontrol.com (GoDaddy premium DNS), only when using Google's 8.8.8.8 / 8.8.4.4 resolvers, from multiple locations/networks.
Since Google Public DNS validates, and Go Daddy supports DNSSEC, it would be useful to test with dig +cd (Checking Disabled) to determine if it is a DNSSEC problem or not.
You can look at targetly.co as one example (should be just an A record to 184.168.221.38 but getting SERVFAIL when querying 8.8.8.8).
Works for me % dig @8.8.8.8 a targetly.co ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @8.8.8.8 a targetly.co ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4056 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;targetly.co. IN A ;; ANSWER SECTION: targetly.co. 242 IN A 184.168.221.38 ;; Query time: 67 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Dec 7 18:07:58 2014 ;; MSG SIZE rcvd: 56
Agree on blendive.com and blendedperspectives.com Not sure how to identify which chunk of google is failing, but here's a trace for a nonworking query on the above domains: 5. 209.85.241.127 6. google-public-dns-a.google.com (thru TorIX thus the short path). EC2 east is succesful (but I cant trace easily, client restrictions in place grumble). blendive.com name server pdns04.domaincontrol.com. blendive.com name server pdns03.domaincontrol.com. /kc On Sun, Dec 07, 2014 at 06:19:22PM +0100, Stephane Bortzmeyer said:
On Sun, Dec 07, 2014 at 12:01:40PM -0500, Erik Levinson <erik.levinson@uberflip.com> wrote a message of 25 lines which said:
I'm getting SERVFAIL when trying to resolve any record in any domain whose NSs are pdns01.domaincontrol.com/pdns02.domaincontrol.com/pdns05.domaincontrol.com/pdns06.domaincontrol.com (GoDaddy premium DNS), only when using Google's 8.8.8.8 / 8.8.4.4 resolvers, from multiple locations/networks.
Since Google Public DNS validates, and Go Daddy supports DNSSEC, it would be useful to test with dig +cd (Checking Disabled) to determine if it is a DNSSEC problem or not.
You can look at targetly.co as one example (should be just an A record to 184.168.221.38 but getting SERVFAIL when querying 8.8.8.8).
Works for me
% dig @8.8.8.8 a targetly.co
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @8.8.8.8 a targetly.co ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4056 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;targetly.co. IN A
;; ANSWER SECTION: targetly.co. 242 IN A 184.168.221.38
;; Query time: 67 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Dec 7 18:07:58 2014 ;; MSG SIZE rcvd: 56
-- Ken Chase - math@sizone.org - Toronto Canada
On 07/12/14 12:19 PM, Stephane Bortzmeyer wrote:
Since Google Public DNS validates, and Go Daddy supports DNSSEC, it would be useful to test with dig +cd (Checking Disabled) to determine if it is a DNSSEC problem or not.
Tried, still SERVFAIL. I succeeds with +trace though...
You can look at targetly.co as one example (should be just an A record to 184.168.221.38 but getting SERVFAIL when querying 8.8.8.8).
Works for me
Maybe a geo-specific issue then, which is even more weird, because it's still not working for me from two different ASs, though both in Toronto, and a traceroute makes it appear like they're not hitting the same nodes (but maybe they are). What's even more weird is I can actually resolve one domain, startupong.com, but still not targetly.co and others. -- Erik Levinson CTO, Uberflip 416-900-3830 1183 King Street West, Suite 100 Toronto ON M6K 3C5 www.uberflip.com
Maybe a geo-specific issue then, which is even more weird, because it's still not working for me from two different ASs, though both in Toronto, and a traceroute makes it appear like they're not hitting the same nodes (but maybe they are).
What's even more weird is I can actually resolve one domain, startupong.com, but still not targetly.co and others.
Last time we had weird DNS issues with GoDaddy, it was dependent on the querying IP address due to load-balancing issues on their side. Try issuing queries from even and odd IP addresses to see if that makes any difference. Rubens
it just started working properly I think. yes, tested from 6 even and odd ips on 3 different AS's (that all go through Torix though). /kc On Sun, Dec 07, 2014 at 03:51:16PM -0200, Rubens Kuhl said:
Maybe a geo-specific issue then, which is even more weird, because it's still not working for me from two different ASs, though both in Toronto, and a traceroute makes it appear like they're not hitting the same nodes (but maybe they are).
What's even more weird is I can actually resolve one domain, startupong.com, but still not targetly.co and others.
Last time we had weird DNS issues with GoDaddy, it was dependent on the querying IP address due to load-balancing issues on their side. Try issuing queries from even and odd IP addresses to see if that makes any difference.
Rubens
-- Ken Chase - math@sizone.org - Toronto Canada
Nope, it's just super intermittent now...it resolved once and cached it apparently, but still SERVFAIL most of the time if you try repeatedly... Try uberflip.net too. On 07/12/14 12:58 PM, Ken Chase wrote:
it just started working properly I think. yes, tested from 6 even and odd ips on 3 different AS's (that all go through Torix though).
/kc
On Sun, Dec 07, 2014 at 03:51:16PM -0200, Rubens Kuhl said:
Maybe a geo-specific issue then, which is even more weird, because it's still not working for me from two different ASs, though both in Toronto, and a traceroute makes it appear like they're not hitting the same nodes (but maybe they are).
What's even more weird is I can actually resolve one domain, startupong.com, but still not targetly.co and others.
Last time we had weird DNS issues with GoDaddy, it was dependent on the querying IP address due to load-balancing issues on their side. Try issuing queries from even and odd IP addresses to see if that makes any difference.
Rubens
-- Ken Chase - math@sizone.org - Toronto Canada
-- Erik Levinson CTO, Uberflip 416-900-3830 x2009 1183 King Street West, Suite 100 Toronto ON M6K 3C5 www.uberflip.com
it just started working properly I think. yes, tested from 6 even and odd ips on 3 different AS's (that all go through Torix though).
/kc
On Sun, Dec 07, 2014 at 03:51:16PM -0200, Rubens Kuhl said:
Maybe a geo-specific issue then, which is even more weird, because
it's
still not working for me from two different ASs, though both in Toronto, and a traceroute makes it appear like they're not hitting the same nodes (but maybe they are).
What's even more weird is I can actually resolve one domain, startupong.com, but still not targetly.co and others.
Last time we had weird DNS issues with GoDaddy, it was dependent on
Just failed for me, too. Traceroute suggests I'm testing against Google in Chicago. 10 27 ms 24 ms 24 ms ae5.cr1.ord2.us.above.net [64.125.30.89] 11 29 ms 49 ms 25 ms ae4.er1.ord7.us.above.net [64.125.28.50] 12 30 ms 25 ms 25 ms 72.14.217.53 13 34 ms 32 ms 26 ms 209.85.243.99 14 26 ms 25 ms 25 ms google-public-dns-a.google.com [8.8.8.8] C:\Users\Frank Bulk>dig @8.8.8.8 a targetly.co ; <<>> DiG 9.8.0-P1 <<>> @8.8.8.8 a targetly.co ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47892 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;targetly.co. IN A ;; Query time: 2077 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Dec 07 12:10:22 2014 ;; MSG SIZE rcvd: 29 C:\Users\Frank Bulk> -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Erik Levinson Sent: Sunday, December 07, 2014 12:07 PM To: Ken Chase; Rubens Kuhl Cc: Nanog Subject: Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs Nope, it's just super intermittent now...it resolved once and cached it apparently, but still SERVFAIL most of the time if you try repeatedly... Try uberflip.net too. On 07/12/14 12:58 PM, Ken Chase wrote: the
querying IP address due to load-balancing issues on their side. Try issuing queries from even and odd IP addresses to see if that makes any difference.
Rubens
-- Ken Chase - math@sizone.org - Toronto Canada
-- Erik Levinson CTO, Uberflip 416-900-3830 x2009 1183 King Street West, Suite 100 Toronto ON M6K 3C5 www.uberflip.com
Heh...when it succeeds for me sometimes now, if I do it repeatedly, I can see two different TTL sets each time, so I know I'm hitting at least two nodes / sets of nodes... One of my traceroutes from 151 Front suggests the node is in the building, as the latency is well under 1ms. On 07/12/14 01:15 PM, Frank Bulk wrote:
Just failed for me, too. Traceroute suggests I'm testing against Google in Chicago.
10 27 ms 24 ms 24 ms ae5.cr1.ord2.us.above.net [64.125.30.89] 11 29 ms 49 ms 25 ms ae4.er1.ord7.us.above.net [64.125.28.50] 12 30 ms 25 ms 25 ms 72.14.217.53 13 34 ms 32 ms 26 ms 209.85.243.99 14 26 ms 25 ms 25 ms google-public-dns-a.google.com [8.8.8.8]
C:\Users\Frank Bulk>dig @8.8.8.8 a targetly.co
; <<>> DiG 9.8.0-P1 <<>> @8.8.8.8 a targetly.co ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47892 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;targetly.co. IN A
;; Query time: 2077 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Dec 07 12:10:22 2014 ;; MSG SIZE rcvd: 29
C:\Users\Frank Bulk>
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Erik Levinson Sent: Sunday, December 07, 2014 12:07 PM To: Ken Chase; Rubens Kuhl Cc: Nanog Subject: Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs
Nope, it's just super intermittent now...it resolved once and cached it apparently, but still SERVFAIL most of the time if you try repeatedly...
Try uberflip.net too.
it just started working properly I think. yes, tested from 6 even and odd ips on 3 different AS's (that all go through Torix though).
/kc
On Sun, Dec 07, 2014 at 03:51:16PM -0200, Rubens Kuhl said: >> >> Maybe a geo-specific issue then, which is even more weird, because it's >> still not working for me from two different ASs, though both in Toronto, >> and a traceroute makes it appear like they're not hitting the same nodes >> (but maybe they are). >> >> What's even more weird is I can actually resolve one domain, >> startupong.com, but still not targetly.co and others. >> >> >Last time we had weird DNS issues with GoDaddy, it was dependent on
On 07/12/14 12:58 PM, Ken Chase wrote: the
>querying IP address due to load-balancing issues on their side. Try
issuing
>queries from even and odd IP addresses to see if that makes any
difference.
> > >Rubens
-- Ken Chase - math@sizone.org - Toronto Canada
-- Erik Levinson CTO, Uberflip 416-900-3830 1183 King Street West, Suite 100 Toronto ON M6K 3C5 www.uberflip.com
On Sun, Dec 7, 2014 at 12:01 PM, Erik Levinson <erik.levinson@uberflip.com> wrote:
All,
Could someone from Google public DNS and from GoDaddy contact me off-list?
I'm getting SERVFAIL when trying to resolve any record in any domain whose NSs are pdns01.domaincontrol.com/pdns02.domaincontrol.com/pdns05.domaincontrol.com/pdns06.domaincontrol.com (GoDaddy premium DNS), only when using Google's 8.8.8.8 / 8.8.4.4 resolvers, from multiple locations/networks.
Resolution is normal using various other public and non-public resolvers, as well as by querying the authoritative name servers directly.
You can look at targetly.co as one example (should be just an A record to 184.168.221.38 but getting SERVFAIL when querying 8.8.8.8).
FWIW, in the past GoDaddy has periodically blocked queries from Google Public DNS infrastructure. Heavily discussed and documented here: https://groups.google.com/forum/#!searchin/public-dns-discuss/godaddy -Jim P.
On Sun, Dec 07, 2014 at 02:24:33PM -0500, Jim Popovitch said:
FWIW, in the past GoDaddy has periodically blocked queries from Google Public DNS infrastructure. Heavily discussed and documented here: https://groups.google.com/forum/#!searchin/public-dns-discuss/godaddy
from that, if this is to be believed: "GoDaddy's two nameservers ns29.domaincontrol.com and ns30.domaincontrol.com have been blocking Google Public DNS. We contacted GoDaddy and they have lifted the blockage. The issue has resolved." then it's godaddy. Godaddy: comments? /kc -- Ken Chase - math@sizone.org - Toronto Canada
participants (6)
-
Erik Levinson -
Frank Bulk -
Jim Popovitch -
Ken Chase -
Rubens Kuhl -
Stephane Bortzmeyer