DNS error and not returning with any right response

Question

I got a new server and I added a dns1.checkersinc.net, dns2.checkersinc.net to 69.64.33.255, 69.64.35.255 and when I test the dns1.checkersinc.net and dns2.checkersinc.net domains on dnswatch.info I got a successful result. but the thing is when I direct a new account domain like one of (tamamsouq.com) to the server with these Name Servers it's not opening with DNS ERROR!

When I used intoDNS.com for NSLOOKUP, I got following errors:

Error   Mismatched NS records   WARNING: One or more of your nameservers did not return any of your NS records.
Error   DNS servers responded   ERROR: One or more of your nameservers did not respond:
The ones that did not respond are:
69.64.33.255 69.64.35.255

Error   Multiple Nameservers    ERROR: Looks like you have less than 2 nameservers. According to RFC2182 section 5 you must have at least 3 nameservers, and no more than 7. Having 2 nameservers is also ok by me.

Error   Missing nameservers reported by your nameservers    You should already know that your NS records at your nameservers are missing, so here it is again:

dns2.checkersinc.net.
dns1.checkersinc.net.


Error   SOA record  No valid SOA record came back!
MX  Error   MX Records  Oh well, I did not detect any MX records so you probably don't have any and if you know you should have then they may be missing at your nameservers!
WWW Error   WWW A Record    ERROR: I could not get any A records for www.tamamsouq.com!

and when I do a dig command I got this result:

server:~# dig @dns1.checkersinc.net tamamsouq.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @dns1.checkersinc.net tamamsouq.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
server:~# dig @dns2.checkersinc.net tamamsouq.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @dns2.checkersinc.net tamamsouq.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

---

server:~# dig @dns1.checkersinc.net tamamsouq.com +answer +nocmd

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @dns1.checkersinc.net tamamsouq.com +answer +nocmd
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
server:~# dig @dns2.checkersinc.net tamamsouq.com +answer +nocmd

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @dns2.checkersinc.net tamamsouq.com +answer +nocmd
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Be noted that I have a Centos 7 as an operating system with WHM/cPanel Please help asap, I'm in a big problem now, Thanks in advance

Answer 1

Took a few minutes to work this out - the problem is a typo. The nameservers are ns1.checkerinc.net and ns2.checkersinc.net - however you put dns1.checkersinc.net and dns2.checkersinc.net. While the latter domains exist, they do not appear to be authorative servers.

The solution is to log into your registrar and update the DNS records. to remove the "d" from each of the nameservers.

Answer 2

Your domain tamamsouq.com have a DNSSEC related problem, which you can see if you go at http://dnsviz.net/d/tamamsouq.com/dnssec/ This is the first problem to address.

In summary, you put a DS record at the parent zone but your nameservers do not publish any related DNSKEY record.

This will make your domain as failed for any recursive nameserver checking DNSSEC.

If you have no idea about all the previous:

• go to your registar, which is "PDR Ltd. d/b/a PublicDomainRegistry.com" based on whois
• find there where to go to remove the DS records
• wait a little
• your domain will now work again for any recursive nameservers.

Easy way to check/reproduce:

1) Using a recursive nameserver that checks DNSSEC:

$ dig @9.9.9.9 tamamsouq.com NS

; <<>> DiG 9.12.0 <<>> @9.9.9.9 tamamsouq.com NS
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65308
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

...

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65308

Note the SERVFAIL

2) Doing the same query but explicitly skipping the DNSSEC check:

$ dig @9.9.9.9 tamamsouq.com NS +cd

; <<>> DiG 9.12.0 <<>> @9.9.9.9 tamamsouq.com NS +cd
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39591
;; flags: rd ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

...

;; QUERY SIZE: 54

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39591

And you still get a SERVFAIL which means that even besides DNSSEC you have another problem.

Let us do the resolution manually.

What the registry says

$ dig @a.gtld-servers.net tamamsouq.com NS

; <<>> DiG 9.12.0 <<>> @a.gtld-servers.net tamamsouq.com NS
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44900
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

...

;; QUERY SIZE: 54

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44900
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tamamsouq.com.     IN NS

;; AUTHORITY SECTION:
tamamsouq.com.      2d IN NS dns1.checkersinc.net.
tamamsouq.com.      2d IN NS dns2.checkersinc.net.

Querying directly your nameservers

 dig @dns1.checkersinc.net. tamamsouq.com NS

; <<>> DiG 9.12.0 <<>> @dns1.checkersinc.net. tamamsouq.com NS
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38704
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

...

;; QUERY SIZE: 54

;; connection timed out; no servers could be reached

Same for dns2. Using +tcp to force TCP does not change anything.

So your servers do not reply at all to DNS queries.

They seem to be on IP addresses 69.64.35.255 and 69.64.33.255.

You need to address their connectivity problem, final steps of tcptraceroute are:

 8  * * *
 9  ae5.cr-rigel.stl1.core.heg.com (4.35.182.58)  92.607 ms  92.283 ms  94.301 ms
10  207.38.95.10  94.115 ms  93.379 ms  93.532 ms
11  207.38.80.34  93.459 ms  94.508 ms  99.711 ms
12  static-ip-209-239-125-3.inaddr.ip-pool.com (209.239.125.3)  91.946 ms * *
13  * * *
14  * * *
15  * * *

So you probably have a firewall in front of them eating all DNS traffic.

Same at UDP level.

And since we can not contact them we can not know if there is a DNSKEY properly published by then (it should be for key tag 2371), but if you have doubts about your experience with DNSSEC and based on the above, I fear you do not have either a proper DNSKEY record, and hence the suggestion above to remove the DS record at registry still holds.