nslookup of paypal.com succeeds byt www.paypal.com returns SERVFAIL

I have a bind9 server here forwarding to openDNS:


options {
directory "/var/cache/bind";


allow-query { goodclients; };
forwarders {
208.67.222.222;
208.67.220.220;
};


dnssec-validation auto;
recursion yes;

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };

response-policy { zone "rpz"; } break-dnssec yes max-policy-ttl 7200;

};

But when I NSLOOKUP or dig www.paypal.com I get a SERVFAIl error, and if I do the same for paypal.com I get success. Other domains seem to be working, but I havent exhaustively checked, obviously:



# dig www.paypal.com

; <<>> DiG 9.10.3-P4-Debian <<>> www.paypal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45562
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.paypal.com.			IN	A

;; Query time: 0 msec
;; SERVER: 10.0.1.2#53(10.0.1.2)
;; WHEN: Thu Apr 18 08:50:39 EDT 2019
;; MSG SIZE  rcvd: 43



# dig paypal.com

; <<>> DiG 9.10.3-P4-Debian <<>> paypal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43283
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;paypal.com. IN A

;; ANSWER SECTION:
paypal.com. 152 IN A 64.4.250.36
paypal.com. 152 IN A 64.4.250.37

;; AUTHORITY SECTION:
paypal.com. 152 IN NS pdns100.ultradns.net.
paypal.com. 152 IN NS ns1.p57.dynect.net.
paypal.com. 152 IN NS pdns100.ultradns.com.
paypal.com. 152 IN NS ns2.p57.dynect.net.

;; ADDITIONAL SECTION:
ns2.p57.dynect.NET. 16488 IN A 204.13.250.57
pdns100.ultradns.com. 2568 IN A 156.154.64.100
pdns100.ultradns.com. 76706 IN AAAA 2001:502:f3ff::88
pdns100.ultradns.NET. 1454 IN A 156.154.65.100
pdns100.ultradns.NET. 16528 IN AAAA 2610:a1:1014::88

;; Query time: 0 msec
;; SERVER: 10.0.1.2#53(10.0.1.2)
;; WHEN: Thu Apr 18 08:51:28 EDT 2019
;; MSG SIZE rcvd: 322

rotblitz April 18, 2019 13:02 (Edited April 24, 2019 08:24)

It works for me.

; <<>> DiG 9.13.3 <<>> @fd00::ca0e:14ff:fee9:8362 @192.168.178.1 +dnssec +noqr +multiline www.paypal.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36706
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.paypal.com. IN A

;; ANSWER SECTION:
www.paypal.com. 1788 IN CNAME www.glb.paypal.com.
www.glb.paypal.com. 1788 IN CNAME www.paypal.com.edgekey.net.
www.paypal.com.edgekey.net. 27 IN CNAME e16973.a.akamaiedge.net.
e16973.a.akamaiedge.net. 20 IN A 2.21.38.79

;; Query time: 21 msec
;; SERVER: fd00::ca0e:14ff:fee9:8362#53(fd00::ca0e:14ff:fee9:8362)
;; WHEN: Thu Apr 18 14:56:13 CEST 2019
;; MSG SIZE rcvd: 155

rotblitz April 18, 2019 13:39

See your query time of 0 msecs? It seems your DNS service at 10.0.1.2 is pretty malfunctioning...

jeremylaurenson April 18, 2019 13:42

The query is not immediate. It takes 12 seconds or so. Looking for ideas of where to look.

rotblitz April 18, 2019 13:50 (Edited April 24, 2019 08:20)

12 seconds for a response? Unacceptable.
Better looking in a BIND forum? This issue doesn’t seem to be related to OpenDNS.

What does this return?

dig www.paypal.com @208.67.220.220

nslookup of paypal.com succeeds byt www.paypal.com returns SERVFAIL

Comments

Didn't find what you were looking for?