Query or time limits exceeded” for .ink domains on Google Public DNS
Ken Brubacher
I’m seeing consistent SERVFAIL responses from Google Public DNS for my domain innovative.ink (and all subdomains), while other major resolvers work correctly. This appears to be a resolver-side issue with query/time limits on your end.
Domain: innovative.inkAuthoritative name servers:
-
ns1.megadnscontrol.com (51.222.204.134)
-
ns2.megadnscontrol.com (104.130.201.20)
Symptoms:
-
Google Public DNS (8.8.8.8 and 8.8.4.4) returns SERVFAIL with Extended DNS Error (EDE) text “Query or time limits exceeded” for SOA, NS, and A lookups under innovative.ink.
-
Other public resolvers (Cloudflare 1.1.1.1, Quad9 9.9.9.9, OpenDNS 208.67.222.222/208.67.220.220 , and my ISP/local resolver) all return correct answers.
-
Authoritative queries to ns1/ ns2.megadnscontrol.com return clean, authoritative answers with no DNSSEC.
Repro steps and sample queries:
-
Apex SOA via Google Public DNS
bashdig @ 8.8.8.8 innovative.ink SOA +dnssec +multi
Response:text;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 632 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ; OPT=15: 00 00 51 75 65 72 79 20 6f 72 20 74 69 6d 65 20 6c 69 6d 69 74 73 20 65 78 63 65 65 64 65 64 20 66 6f 72 20 69 6e 6e 6f 76 61 74 69 76 65 2e 69 6e 6b 2f 73 6f 61 ("..Query or time limits exceeded for innovative.ink/soa")
-
Apex NS via Google Public DNS
bashdig @ 8.8.8.8 innovative.ink NS +dnssec +multi
Response:text;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62432 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ; OPT=15: 00 00 51 75 65 72 79 20 6f 72 20 74 69 6d 65 20 6c 69 6d 69 74 73 20 65 78 63 65 65 64 65 64 20 66 6f 72 20 69 6e 6e 6f 76 61 74 69 76 65 2e 69 6e 6b 2f 6e 73 ("..Query or time limits exceeded for innovative.ink/ns")
-
Host A record via Google Public DNS (UDP and TCP)
TCP response (similar for UDP):text;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39033 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ; OPT=15: "...Query or time limits exceeded for forge.innovative.ink/a"
-
Same host via other resolvers (works):
bashdig @ 1.1.1.1 forge.innovative.ink A +dnssec +multi
Response:text;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31707 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 forge.innovative.ink. 14400 IN A 54.39.132.134
-
Authoritative checks ( ns1.megadnscontrol.com ):
bashdig @ ns1.megadnscontrol.com forge.innovative.ink ANY
Response:text;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14561 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available forge.innovative.ink. 14400 IN MX 0 forge.innovative.ink. forge.innovative.ink. 14400 IN A 54.39.132.134 forge.innovative.ink. 86400 IN NS ns2.megadnscontrol.com . forge.innovative.ink. 86400 IN NS ns1.megadnscontrol.com . forge.innovative.ink. 86400 IN SOA ns1.megadnscontrol.com . root.forge.innovative.ink. 2026032600 3600 1800 1209600 86400
Additionally:
-
innovative.ink is not DNSSEC‑signed (no DS in the .ink parent), so there is no DNSSEC validation chain to break.
-
Direct queries to both authoritative name servers are fast and consistent.
-
Cloudflare, Quad9, OpenDNS and my ISP’s resolver all return the correct A record for forge.innovative.ink.
This looks like an internal Google Public DNS resolver issue (query/time limits exceeded when talking to my authoritative name servers) rather than a zone misconfiguration. Could you please investigate why innovative.ink is triggering “Query or time limits exceeded” and advise if any changes are needed on my side?
