1

When using "dig host.name.here.com A" I get SERVFAIL and no answer. But when I do a "dig host.name.here.com ANY" I get NOERROR and it returns an A record.

Any idea as to what may be wrong with the domain in question?

Below is a sanitized example. Same thing happens when I use other @dns_servers:

user@server1:~$ dig host.name.here.com A

; <<>> DiG 9.7.3 <<>> host.name.here.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19887
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;host.name.here.com.         IN      A

;; Query time: 3719 msec
;; SERVER: 172.16.1.5#53(172.16.1.5)
;; WHEN: Fri Feb 15 01:17:10 2013
;; MSG SIZE  rcvd: 39

user@server1:~$ dig host.name.here.com ANY

; <<>> DiG 9.7.3 <<>> host.name.here.com ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24213
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;host.name.here.com.         IN      ANY

;; ANSWER SECTION:
host.name.here.com.  20      IN      A       1.2.3.4

;; Query time: 88 msec
;; SERVER: 172.16.1.5#53(172.16.1.5)
;; WHEN: Fri Feb 15 01:21:45 2013
;; MSG SIZE  rcvd: 55
MadHatter
  • 79,770
  • 20
  • 184
  • 232
sij99
  • 11
  • 1
  • 2
  • `SERVFAIL` means that the server returned an error. Check the logs on the DNS servers involved. – mgorven Feb 15 '13 at 06:22
  • Right, so what if I dont have access to the logs on the dns server that I query. For example, if I were to try 4.2.2.2 or 4.2.2.3 and it has the same result. – sij99 Feb 15 '13 at 06:25
  • Do you control any of the DNS servers involved? (i.e. Including those serving the zone you're querying.) – mgorven Feb 15 '13 at 06:26
  • No, the zone I am querying belongs to another company. I am trying to figure out what may be wrong to build a case and ask them to check on this host. For what its worth, when i query @ns1.company.com it returns the proper a record every time. – sij99 Feb 15 '13 at 06:29
  • Basically... trying to find out in what situations would one get a servfail when explicitly asking for an A record, yet when querying the same server again and asking for ANY record, one gets an A record returned. – sij99 Feb 15 '13 at 06:36
  • 2
    These questions are much easier to answer when you say what hostname you're doing these lookups on, because it means others can replicate your results. – MadHatter Feb 15 '13 at 09:39
  • Do you have any particular *reason* to obscure the domain name? If you must obscure it, please use `example.net` or a related domain. – TRiG Jun 11 '14 at 02:36

1 Answers1

1

The SERVFAIL taking 3.7s is interesting, it's well below any normal timeout value. dig without @ will use your local resolver configuration. You need to eliminate that as a cause.

Directly check all the company's resolvers in turn, this should work generally (though not in some cases):

for ns in $(dig +short company.com ns); do 
    dig @$ns host.company.com any; 
done

Then check all your own resolvers in turn:

for ns in $(awk '/nameserver/{print $2}' /etc/resolv.conf); do 
    dig  @$ns host.company.com any; 
done

Normally the observed problem is the other way around, problems receiving "ANY" because the reply is too large, or a firewall/IPS is dropping "ANY" queries.

mr.spuratic
  • 3,430
  • 20
  • 14