On Apr 20, 2016, at 4:58 PM, Trevor Cordes trevor@tecnopolis.ca wrote:
On 2016-04-20 Adam Thompson wrote:
Without taking the time to examine these carefully, I'd guess that those domains are being served off less-than-stellar DNS servers, and
Theo found most were hosted at godaddy (I guess that what "domaincontrol.com" is?)... does that make your above statement less (or more!?!) likely? :-)
problem. Examine the chain of authoritative servers for each and I'll bet you find some commonalities. Also there are dozens of DNS "lint" tools that will help you track down other people's errors as well as your own. Best guess without testing: domain has 3-4 servers listed at gTLD, only 2-3 of those are authoritative for the domain, and
I'm digging into things looking at the available tools as you and Theo pointed to.
It's very bizarre, I just ran a quick test just now just manually typing dig <domain> one by one. On all but 1 of the domains I listed originally, dig immediately returned SERVFAIL on my first try! And when I up-arrowed 2s later and hit return to retry, each of those then succeeded (NOERROR).
The SERVFAIL ones return very quickly, all within 99-177ms. One outlier attempt that gave me SERVFAIL returned 1ms... I guess it had a a negative result cached (probably a sendmail queued for it).
Before I delve too much into this I'd sure love if someone else who runs BIND as recursive resolver (or maybe even dnsmasq, as long as it does its own recursion) could just try my +short test a few times to see if they can reproduce. Just cut & paste, takes 2 secs.... I have been known to have, shall we say, "customized" configs on relevant things like BIND and iptables.
rndc flush dig +short sportmanitoba.ca dig +short gymcan.org dig +short brandoneagles.ca dig +short interactivegym.org dig +short artscouncil.mb.ca
I just ran this from home on my caching bind resolver about 12 times and I had 1 dig +short gymcan.org fail out of all of the runs, and it came back almost immediately, not a 5s timeout. I am my own internet provider for myself (in terms of IP access) as of last Tuesday, so I know I'm not seeing Shaw or MTS middleware messing with my packets.
Theodore Baschak - AS395089 - Hextet Systems https://ciscodude.net/ - https://hextet.systems/ https://theodorebaschak.com/ - http://mbix.ca/