On 2016-04-20 Adam Thompson wrote:
Without taking the time to examine these carefully, I'd guess that those domains are being served off less-than-stellar DNS servers, and
Theo found most were hosted at godaddy (I guess that what "domaincontrol.com" is?)... does that make your above statement less (or more!?!) likely? :-)
problem. Examine the chain of authoritative servers for each and I'll bet you find some commonalities. Also there are dozens of DNS "lint" tools that will help you track down other people's errors as well as your own. Best guess without testing: domain has 3-4 servers listed at gTLD, only 2-3 of those are authoritative for the domain, and
I'm digging into things looking at the available tools as you and Theo pointed to.
It's very bizarre, I just ran a quick test just now just manually typing dig <domain> one by one. On all but 1 of the domains I listed originally, dig immediately returned SERVFAIL on my first try! And when I up-arrowed 2s later and hit return to retry, each of those then succeeded (NOERROR).
The SERVFAIL ones return very quickly, all within 99-177ms. One outlier attempt that gave me SERVFAIL returned 1ms... I guess it had a a negative result cached (probably a sendmail queued for it).
Before I delve too much into this I'd sure love if someone else who runs BIND as recursive resolver (or maybe even dnsmasq, as long as it does its own recursion) could just try my +short test a few times to see if they can reproduce. Just cut & paste, takes 2 secs.... I have been known to have, shall we say, "customized" configs on relevant things like BIND and iptables.
rndc flush dig +short sportmanitoba.ca dig +short gymcan.org dig +short brandoneagles.ca dig +short interactivegym.org dig +short artscouncil.mb.ca
For kicks I added in 5 more domains that I never have problems with, like well known companies, certain user groups, and one that I control the DNS server of. I reran the test 11 times, about 10s apart. In 6/11 tries I got 1 SERVFAIL. The others had no errors. All 6 failures were for the above domains, never once the "known good" ones I just added. So that's encouraging. (The failures were on sportmanitoba.ca x2, artscouncil.mb.ca x3, brandoneagles.ca x1.)
So the theory of "badly behaved name servers beyond my control" looks like it might be correct.
Assume for a moment we are positive that is the case, should I be contacting someone on the other side about fixing this? I doubt the domain holders know/care about such technical things, but one would think the DNS hosting company might? (I certainly would want to know!)
Thanks!