We have a client we host a web for (blog.foobar.es). We do not manage foobar.es's DNS setup, we just told them to point blog.foobar.es to our web server's IP.

We have noticed that sometimes we cannot browse to blog.foobar.es, but we can browse to other sites on that server.

Troubleshooting a bit using host(1) yields something funny:

$ host blog.foobar.es
Using domain server:
Host blog.foobar.es not found: 3(NXDOMAIN)

, being one of Google's public DNS servers. However, sometimes the same server resolves the name correctly (!).

Another funny thing, is that our ISP's DNS servers sometimes say:

$ host blog.foobar.es

Using domain server:

blog.foobar.es has address x.x.x.x
Host blog.foobar.es not found: 3(NXDOMAIN)

Which I don't really understand. I've dug around using dig(1), and have noticed they've set up a SOA record for foobar.es:

$ dig foobar.es

; <<>> DiG 9.7.0-P1 <<>> foobar.es
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59824
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;foobar.es.         IN   A

foobar.es.      86400   IN   SOA   dns1.provider.es. root.dns1.provider.es. 2011030301 86400 7200 2592000 172800

;; Query time: 78 msec
;; WHEN: Thu Mar  3 16:16:19 2011
;; MSG SIZE  rcvd: 78

... which I'm completely unfamiliar with.


We can't really do much as we do not control DNS, but we'd like to point our clients in the right direction...

  • 79,345
  • 17
  • 128
  • 213
  • 1,329
  • 6
  • 9

1 Answers1


The first entry in the SOA record should be one of the DNS servers hosting the zone (these are called the "authoritative servers", which are the devices actually serving the information; they may their own systems or they may be an ISP or registrar); in this case, it's dns1.provider.es. - does this match what's provided in the WHOIS entry for the domain?

Another thing to check is dig foobar.es -t NS; this should point to the DNS servers that are hosting the zone as well. Preform the same lookups against those servers, and make sure they return the same information.

In other words, the Nameservers in the WHOIS entry should point to the exact same place as the "NS" records, and the first name in the SOA record should be pointing to one of those servers as well.

Issues with these pointers could cause the type of transitive resolution issues that you are seeing.

Edit: There are a number of online tools available that you can point at a domain name and will run some or all of these checks automatically, warning you about anything that's inconsistent.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Well; I've tried http://dnscheck.iis.se/ and it points out a lot of issues, which I've forwarded to the appropiate party for consideration. I've run dig foobar.es -t NS, dig foobar.es -t NS x.x.x.x, where x.x.x.x are the NSs listed in the first query. They all return the same, except a "SOA authority section", which is not present in our ISP's DNS response, but is present on their nameservers. – alex Mar 03 '11 at 16:33