DNS servfail at some of Nameservers [closed]
I make tiny little Nameserver for my own just for fun. Currently it serves *.iwanhae.ga sites. likes http://blog.iwanhae.ga
but the problem is some of nameservers can not get ip address of blog.iwanhae.ga.
for example, Google dns server(8.8.8.8) can get 175.193.162.44 (the ip of every iwanhae.ga) But at Verizon dns server(4.2.2.2) failed to get any ip address.
here's my test using nslookup
@server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
@blog.iwanhae.ga
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: blog.iwanhae.ga
Address: 175.193.162.44
@server 4.2.2.2
Default server: 4.2.2.2
Address: 4.2.2.2#53
@blog.iwanhae.ga
Server: 4.2.2.2
Address: 4.2.2.2#53
** server can't find blog.iwanhae.ga: SERVFAIL
and here's another test https://www.whatsmydns.net/#A/blog.iwanhae.ga
I wonder why some nameserver failed at getting ip address while the other success.
any idea?
I think it's the problem of my tiny little nameserver, but I don't know what caused the problem.
Solution 1:
A SERVFAIL answer tells you there's an issue reaching the DNS server for your domain, or that it isn't set up properly.
It looks like you're only replying to A queries from your DNS server, which might explain why some nameservers don't like your domain.
A trace outputs the following:
dig +trace iwanhae.ga
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> +trace iwanhae.ga
;; global options: +cmd
. 6862 IN NS e.root-servers.net.
. 6862 IN NS h.root-servers.net.
. 6862 IN NS b.root-servers.net.
. 6862 IN NS a.root-servers.net.
. 6862 IN NS m.root-servers.net.
. 6862 IN NS f.root-servers.net.
. 6862 IN NS l.root-servers.net.
. 6862 IN NS d.root-servers.net.
. 6862 IN NS j.root-servers.net.
. 6862 IN NS k.root-servers.net.
. 6862 IN NS c.root-servers.net.
. 6862 IN NS i.root-servers.net.
. 6862 IN NS g.root-servers.net.
;; Received 508 bytes from 10.2.39.219#53(10.2.39.219) in 290 ms
ga. 172800 IN NS a.ns.ga.
ga. 172800 IN NS b.ns.ga.
ga. 172800 IN NS c.ns.ga.
ga. 172800 IN NS d.ns.ga.
;; Received 271 bytes from 192.203.230.10#53(192.203.230.10) in 72 ms
iwanhae.ga. 300 IN NS doctor.iptime.org.
iwanhae.ga. 300 IN NS dns.iwanhae.ga.
;; Received 93 bytes from 185.21.171.49#53(185.21.171.49) in 3366 ms
iwanhae.ga. 3600 IN A 175.193.162.44
;; Received 44 bytes from 175.193.162.44#53(175.193.162.44) in 319 ms
Asking your nameserver directly for SOA or NS records gives no results:
dig @175.193.162.44 iwanhae.ga. SOA
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @175.193.162.44 iwanhae.ga. SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65076
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;iwanhae.ga. IN SOA
;; Query time: 302 msec
;; SERVER: 175.193.162.44#53(175.193.162.44)
;; WHEN: Wed Sep 21 18:26:15 2016
;; MSG SIZE rcvd: 28
dig @175.193.162.44 iwanhae.ga. NS
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @175.193.162.44 iwanhae.ga. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37126
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;iwanhae.ga. IN NS
;; Query time: 305 msec
;; SERVER: 175.193.162.44#53(175.193.162.44)
;; WHEN: Wed Sep 21 18:26:20 2016
;; MSG SIZE rcvd: 28
Additionally, querying it for anything under *.iwanhae.ga always yields the same result, which means you've probably set up some rule-based DNS response instead of a proper zone:
dig @175.193.162.44 verylongnamewhichprobablydoesnotexist.iwanhae.ga.
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @175.193.162.44 verylongnamewhichprobablydoesnotexist.iwanhae.ga.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56861
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;verylongnamewhichprobablydoesnotexist.iwanhae.ga. IN A
;; ANSWER SECTION:
verylongnamewhichprobablydoesnotexist.iwanhae.ga. 3600 IN A 175.193.162.44
;; Query time: 301 msec
;; SERVER: 175.193.162.44#53(175.193.162.44)
;; WHEN: Wed Sep 21 18:27:50 2016
;; MSG SIZE rcvd: 82
For your domain to function properly on the internet, you must reply to SOA and NS queries from your DNS server, otherwise some DNS resolvers won't like the way it's set up and fail the lookups.
Proper SOA and NS records would look something like:
iwanhae.ga. 300 IN SOA dns.iwanhae.ga. admin.iwanhae.ga. 2016092100 10800 3600 1209600 300
iwanhae.ga. IN NS dns.iwanhae.ga.
iwanhae.ga. IN NS doctor.iptime.org.
dns IN A 175.193.162.44
Solution 2:
In my case, it was the DNSSEC key which was present on the domain registrar but with DNSSEC being disabled on Route 53.
Make sure if you don't have DNSSEC enabled, that you actually delete the DNSSEC key or else, you will get random SERVFAIL when resolving DNS.
Solution 3:
The delegation for iwanhae.ga looks like the following:
iwanhae.ga. 300 IN NS doctor.iptime.org.
iwanhae.ga. 300 IN NS dns.iwanhae.ga.
dns.iwanhae.ga. 7200 IN A 175.193.162.44
Looking up the name of the "other" nameserver (which doesn't need glue):
doctor.iptime.org. 60 IN A 175.193.162.44
As is clear, the names of "both" nameservers resolve to the same IP address, so there is no redundancy in place.
At least for me, queries sent to 175.193.162.44 get no response at all:
$ dig @175.193.162.44 blog.iwanhae.ga. +norec
; <<>> DiG 9.10.4-P2-RedHat-9.10.4-1.P2.fc24 <<>> @175.193.162.44 blog.iwanhae.ga. +norec
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
$
Presumably your own issues are also caused by inability to get answers from your nameserver.