DNS servfail at some of Nameservers [closed]

I make tiny little Nameserver for my own just for fun. Currently it serves *.iwanhae.ga sites. likes http://blog.iwanhae.ga

but the problem is some of nameservers can not get ip address of blog.iwanhae.ga.

for example, Google dns server(8.8.8.8) can get 175.193.162.44 (the ip of every iwanhae.ga) But at Verizon dns server(4.2.2.2) failed to get any ip address.

here's my test using nslookup

@server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
@blog.iwanhae.ga
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: blog.iwanhae.ga
Address: 175.193.162.44

@server 4.2.2.2
Default server: 4.2.2.2
Address: 4.2.2.2#53
@blog.iwanhae.ga
Server: 4.2.2.2
Address: 4.2.2.2#53

** server can't find blog.iwanhae.ga: SERVFAIL

and here's another test https://www.whatsmydns.net/#A/blog.iwanhae.ga

I wonder why some nameserver failed at getting ip address while the other success.

any idea?

I think it's the problem of my tiny little nameserver, but I don't know what caused the problem.


Solution 1:

A SERVFAIL answer tells you there's an issue reaching the DNS server for your domain, or that it isn't set up properly. It looks like you're only replying to A queries from your DNS server, which might explain why some nameservers don't like your domain.

A trace outputs the following:

dig +trace iwanhae.ga

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> +trace iwanhae.ga
;; global options: +cmd
.                       6862    IN      NS      e.root-servers.net.
.                       6862    IN      NS      h.root-servers.net.
.                       6862    IN      NS      b.root-servers.net.
.                       6862    IN      NS      a.root-servers.net.
.                       6862    IN      NS      m.root-servers.net.
.                       6862    IN      NS      f.root-servers.net.
.                       6862    IN      NS      l.root-servers.net.
.                       6862    IN      NS      d.root-servers.net.
.                       6862    IN      NS      j.root-servers.net.
.                       6862    IN      NS      k.root-servers.net.
.                       6862    IN      NS      c.root-servers.net.
.                       6862    IN      NS      i.root-servers.net.
.                       6862    IN      NS      g.root-servers.net.
;; Received 508 bytes from 10.2.39.219#53(10.2.39.219) in 290 ms

ga.                     172800  IN      NS      a.ns.ga.
ga.                     172800  IN      NS      b.ns.ga.
ga.                     172800  IN      NS      c.ns.ga.
ga.                     172800  IN      NS      d.ns.ga.
;; Received 271 bytes from 192.203.230.10#53(192.203.230.10) in 72 ms

iwanhae.ga.             300     IN      NS      doctor.iptime.org.
iwanhae.ga.             300     IN      NS      dns.iwanhae.ga.
;; Received 93 bytes from 185.21.171.49#53(185.21.171.49) in 3366 ms

iwanhae.ga.             3600    IN      A       175.193.162.44
;; Received 44 bytes from 175.193.162.44#53(175.193.162.44) in 319 ms

Asking your nameserver directly for SOA or NS records gives no results:

dig @175.193.162.44 iwanhae.ga. SOA

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @175.193.162.44 iwanhae.ga. SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65076
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;iwanhae.ga.                    IN      SOA

;; Query time: 302 msec
;; SERVER: 175.193.162.44#53(175.193.162.44)
;; WHEN: Wed Sep 21 18:26:15 2016
;; MSG SIZE  rcvd: 28

dig @175.193.162.44 iwanhae.ga. NS

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @175.193.162.44 iwanhae.ga. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37126
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;iwanhae.ga.                    IN      NS

;; Query time: 305 msec
;; SERVER: 175.193.162.44#53(175.193.162.44)
;; WHEN: Wed Sep 21 18:26:20 2016
;; MSG SIZE  rcvd: 28

Additionally, querying it for anything under *.iwanhae.ga always yields the same result, which means you've probably set up some rule-based DNS response instead of a proper zone:

dig @175.193.162.44 verylongnamewhichprobablydoesnotexist.iwanhae.ga.

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @175.193.162.44 verylongnamewhichprobablydoesnotexist.iwanhae.ga.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56861
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;verylongnamewhichprobablydoesnotexist.iwanhae.ga. IN A

;; ANSWER SECTION:
verylongnamewhichprobablydoesnotexist.iwanhae.ga. 3600 IN A 175.193.162.44

;; Query time: 301 msec
;; SERVER: 175.193.162.44#53(175.193.162.44)
;; WHEN: Wed Sep 21 18:27:50 2016
;; MSG SIZE  rcvd: 82

For your domain to function properly on the internet, you must reply to SOA and NS queries from your DNS server, otherwise some DNS resolvers won't like the way it's set up and fail the lookups.

Proper SOA and NS records would look something like:

iwanhae.ga. 300 IN SOA dns.iwanhae.ga. admin.iwanhae.ga. 2016092100 10800 3600 1209600 300

iwanhae.ga.     IN NS dns.iwanhae.ga.
iwanhae.ga.     IN NS doctor.iptime.org.

dns             IN A  175.193.162.44

Solution 2:

In my case, it was the DNSSEC key which was present on the domain registrar but with DNSSEC being disabled on Route 53.

Make sure if you don't have DNSSEC enabled, that you actually delete the DNSSEC key or else, you will get random SERVFAIL when resolving DNS.

Solution 3:

The delegation for iwanhae.ga looks like the following:

iwanhae.ga.             300     IN      NS      doctor.iptime.org.
iwanhae.ga.             300     IN      NS      dns.iwanhae.ga.
dns.iwanhae.ga.         7200    IN      A       175.193.162.44

Looking up the name of the "other" nameserver (which doesn't need glue):

doctor.iptime.org.      60      IN      A       175.193.162.44

As is clear, the names of "both" nameservers resolve to the same IP address, so there is no redundancy in place.

At least for me, queries sent to 175.193.162.44 get no response at all:

$ dig @175.193.162.44 blog.iwanhae.ga. +norec

; <<>> DiG 9.10.4-P2-RedHat-9.10.4-1.P2.fc24 <<>> @175.193.162.44 blog.iwanhae.ga. +norec
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
$

Presumably your own issues are also caused by inability to get answers from your nameserver.