Why can't I reach a specific host using a specific DNS?

Your domain is not configured correctly, see https://dnsviz.net/d/www2.agenciatributaria.gob.es/YVHoZA/dnssec/

You can ignore the DS warnings on es and gob.es as you won't be able to do anything about those and they won't block resolution.

However do read the warning about the NS set mismatch which means you are in a lame delegation situation. This has the direct effect that your results will depend on which nameserver you ask and can be wrong 50% of the time, or more.

Fix your DNS settings, by making sure your parents (gob.es) list the same servers as authoritative as you do:

$ dig gob.es NS +short
c.nic.es.
fnicdos.rediris.es.
n3ns.nic.es.
h.nic.es.
g.nic.es.
$ dig agenciatributaria.gob.es NS @c.nic.es +noall +auth
agenciatributaria.gob.es. 1d IN NS ns3chos01.telefonica-data.com.
agenciatributaria.gob.es. 1d IN NS nsjc8hos01.telefonica-data.com.
$ dig agenciatributaria.gob.es NS @nsjc8hos01.telefonica-data.com. +short
nsalchos01.telefonica-data.com.
nsjc8hos01.telefonica-data.com.

These 2 sets of NS records do not match and they MUST match for correct DNS resolutions.


Your local resolver is configured to forward DNS queries to 213.186.33.99, DNS server that OVH provides to its customers. Querying this server directly reveals that it is reporting a failure.

$ host www2.agenciatributaria.gob.es 213.186.33.99
Using domain server:
Name: 213.186.33.99
Address: 213.186.33.99#53
Aliases: 

Host www2.agenciatributaria.gob.es not found: 2(SERVFAIL)

Edit your /etc/resolv.conf to provide another set of nameservers and then try again. Keep in mind that the domain you're looking up still is broken, as described by Patrick Mevzek's answer, and so this is just a workaround.