8

My network admins have created a DNS record for thedigitalteacher.com which should include an A record for the domain root pointing to 5.10.124.142, which is indeed the response I get if I use our internal name servers.

However, Google's name servers on 8.8.8.8 frequently (but not always) fail to resolve the name, leading to this kind of nonsense:

ahrcsdca01115:triangle-app bodeng$ nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> thedigitalteacher.com
Server:     8.8.8.8
Address:    8.8.8.8#53

** server can't find thedigitalteacher.com: NXDOMAIN
> set querytype=any
> thedigitalteacher.com
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   thedigitalteacher.com
Address: 5.10.124.142
thedigitalteacher.com   nameserver = ns0.dcdns.net.
thedigitalteacher.com   nameserver = ns1.dcdns.net.
thedigitalteacher.com   nameserver = ns2.dcdns.net.
thedigitalteacher.com   nameserver = ns3.dcdns.net.
thedigitalteacher.com
    origin = ns0.dcdns.net
    mail addr = domains.ucles.org.uk
    serial = 22
    refresh = 900
    retry = 600
    expire = 86400
    minimum = 3600
thedigitalteacher.com   mail exchanger = 10 66.96.140.160.

Authoritative answers can be found from:
> set querytype=a
> thedigitalteacher.com
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   thedigitalteacher.com
Address: 5.10.124.142

How can I figure out what's wrong with this domain?

Gareth Boden
  • 83
  • 3

2 Answers2

14

Use online diagnostics tools:

I have just run it for you: https://zonemaster.net/test/f9b464c2a567d89b and results are not good!

In short, your nameservers (ns0.dcdns.net and others) do not reply as being authoritative on your domain name. You will first need to contact the individual or company behind ns0.dcdns.net and ask them to configure their nameservers properly for your domain name. Or change the nameservers you are using for your domain.

Until that is done, do not expect to have anything working correctly in your domain name.

More precisely: ns0and ns3seem not to reply correctly at all for your domain, ns1 and ns2do. Are you sure you need to use all four of them?

Also: ns0 ns1 and ns2 are resolving to the same IP, this is silly. And makes the above results strange. In fact when doing multiple times the same query, a given nameserver does not reply the same way (sometimes NXDOMAIN with useless upward referal, sometimes correct NS records). This is seriously broken! (I suspect there are behind some kind of load balancer and we hit different servers, or their anycast had gone wrong...)

PS: use dig instead of nslookup, it is a better tool.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
  • DNSViz is up again. :) – Matt Nordhoff Jan 22 '18 at 22:04
  • @MattNordhoff still timeout-ing from my place :-(. Feel free to add a link to a test run for this domain, or I will do it later when I can access it. – Patrick Mevzek Jan 22 '18 at 22:16
  • HTTP works but HTTPS times out, I think. http://dnsviz.net/d/thedigitalteacher.com/dnssec/ – Matt Nordhoff Jan 22 '18 at 22:24
  • Our network admin said the zone was missing from 2 out of 3 backend servers. Gawd only knows what's going on with the odd nsX naming and same IP stuff, though. Test is now good though https://zonemaster.net/test/b71886abde12eb3c - many thanks for your help. – Gareth Boden Jan 23 '18 at 15:26
9

It would seem that you are using some nameserver internally that works reliably, while the nameservers used by everyone else is in a worse state.

The delegation looks like this:

;; AUTHORITY SECTION:
thedigitalteacher.com.  172800  IN      NS      ns0.dcdns.net.
thedigitalteacher.com.  172800  IN      NS      ns1.dcdns.net.
thedigitalteacher.com.  172800  IN      NS      ns2.dcdns.net.
thedigitalteacher.com.  172800  IN      NS      ns3.dcdns.net.

;; ADDITIONAL SECTION:
ns0.dcdns.net.          172800  IN      A       192.149.119.100
ns1.dcdns.net.          172800  IN      A       192.149.119.100
ns2.dcdns.net.          172800  IN      A       192.149.119.100
ns3.dcdns.net.          172800  IN      A       212.44.18.27

There are four NS records but, as you can see, these effectively boil down to only two addresses, 192.149.119.100 and 212.44.18.27.

212.44.18.27 seems to consistently answer with a referral to the root (indicating it simply doesn't know about thedigitalteacher.com), while 192.149.119.100 produces a mix of actual answers and referrals to the root.

As for what causes the 192.149.119.100 behavior, I can only speculate. Maybe 192.149.119.100 is backed by multiple server instances which are out of sync?

It looks to be a bit of a mess on the authoritative end.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90