Getting SERVFAIL for some subdomains of vmware.com


#1

I am receiving a SERVFAIL status for a few vmware subdomains when using 1.1.1.1 or 1.0.0.1. Subdomains with issues:
my.vmware.com
kb.vmware.com

$ dig my.vmware.com @1.1.1.1

; <<>> DiG 9.10.6 <<>> my.vmware.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47549
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;my.vmware.com.			IN	A

;; ANSWER SECTION:
my.vmware.com.		150	IN	CNAME	my.cdnswitch.vmware.com.
my.cdnswitch.vmware.com. 60	IN	CNAME	5alxq.x.incapdns.net.
5alxq.x.incapdns.net.	30	IN	A	45.60.11.183

;; Query time: 350 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Aug 26 12:48:25 EDT 2018
;; MSG SIZE  rcvd: 119

I do not get an error when using 8.8.8.8 though:

$ dig my.vmware.com @8.8.8.8

; <<>> DiG 9.10.6 <<>> my.vmware.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34803
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;my.vmware.com.			IN	A

;; ANSWER SECTION:
my.vmware.com.		40	IN	CNAME	my.cdnswitch.vmware.com.
my.cdnswitch.vmware.com. 9	IN	CNAME	5alxq.x.incapdns.net.
5alxq.x.incapdns.net.	29	IN	A	45.60.11.183

;; Query time: 36 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 26 12:50:54 EDT 2018
;; MSG SIZE  rcvd: 119

In case it helps, here is the dns server that’s being used:

$ dig @1.1.1.1 id.server txt ch +short
"IAD"

Unable to resolve Nasa domains
Www.lancaster.ac.uk not resolving (SERVFAIL)
#2

I’m having the same issue - right pain when i’m trying to upgrade my ESXi lab.
I opened a ticket with Cloudflare support but they just closed it and sent a link to this forum.

I also tried using the ‘Purge Cache’ option on 1.1.1.1, but the same is still happening.


#3

labs.vmware.com is also affected…

dig labs.vmware.com @1.1.1.1
; <<>> DiG 9.13.2 <<>> labs.vmware.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42827
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;labs.vmware.com. IN A

;; ANSWER SECTION:
labs.vmware.com. 55 IN CNAME labs.cdnswitch.vmware.com.
labs.cdnswitch.vmware.com. 60 IN CNAME 3gdci.x.incapdns.net.
3gdci.x.incapdns.net. 25 IN A 45.60.13.183

;; Query time: 597 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mo Aug 27 21:33:24 CEST 2018
;; MSG SIZE rcvd: 123

dig labs.vmware.com @1.0.0.1
; <<>> DiG 9.13.2 <<>> labs.vmware.com @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26783
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;labs.vmware.com. IN A

;; ANSWER SECTION:
labs.vmware.com. 49 IN CNAME labs.cdnswitch.vmware.com.
labs.cdnswitch.vmware.com. 60 IN CNAME 3gdci.x.incapdns.net.
3gdci.x.incapdns.net. 19 IN A 45.60.13.183

;; Query time: 676 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Mo Aug 27 21:33:31 CEST 2018
;; MSG SIZE rcvd: 123

dig labs.vmware.com @8.8.8.8
; <<>> DiG 9.13.2 <<>> labs.vmware.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46832
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;labs.vmware.com. IN A

;; ANSWER SECTION:
labs.vmware.com. 59 IN CNAME labs.cdnswitch.vmware.com.
labs.cdnswitch.vmware.com. 59 IN CNAME 3gdci.x.incapdns.net.
3gdci.x.incapdns.net. 29 IN A 45.60.13.183

;; Query time: 75 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mo Aug 27 21:33:36 CEST 2018
;; MSG SIZE rcvd: 123

dig +short CHAOS TXT id.server @1.1.1.1
“VIE”
dig +short CHAOS TXT id.server @1.0.0.1
“VIE”


Unable to resolve Nasa domains
#4

Thanks for the report, I’ll look into this.


SERVFAIL, but still returning correct data in answer