trace dns delegations

Sometimes when DNS is failing, it might just be the wrong delegation on the ns tree. In order to trace that, there’s a nifty tool called dnstracer. Use -4 to trace via IPv4 only (IPv6 could be broken on your route and lead into faulty assumptions), as well as do not start at your local resolver, but the root servers (-s .).

Below is an example on the current GoDaddy outage, trying to trace one of their nameservers below domaincontrol.com

$ dnstracer -s . -4 ns1.domaincontrol.com

Tracing to ns1.domaincontrol.com[a] via A.ROOT-SERVERS.NET, maximum of 3 retries
A.ROOT-SERVERS.NET [.] (198.41.0.4)
 |___ m.gtld-servers.net [com] (192.55.83.30)
 |     |___ ans02.domaincontrol.com [domaincontrol.com] (208.109.255.35) * * *
 |      ___ ans01.domaincontrol.com [domaincontrol.com] (216.69.185.35) * * *
 |___ l.gtld-servers.net [com] (192.41.162.30)
 |     |___ ans02.domaincontrol.com [domaincontrol.com] (208.109.255.35) *
 |      ___ ans01.domaincontrol.com [domaincontrol.com] (216.69.185.35) * * *
 |___ k.gtld-servers.net [com] (192.52.178.30)
 |     |___ ans02.domaincontrol.com [domaincontrol.com] (208.109.255.35) * * *
 |      ___ ans01.domaincontrol.com [domaincontrol.com] (216.69.185.35) * * *
 |___ j.gtld-servers.net [com] (192.48.79.30)
 |     |___ ans02.domaincontrol.com [domaincontrol.com] (208.109.255.35) * * *
 |      ___ ans01.domaincontrol.com [domaincontrol.com] (216.69.185.35) * * *
...