Newer DNS servers may fail to resolve when requests come from UDP port 53, rather than from a high (1024+), random port.
Bind name servers now default to random query source ports. See Bind query-source
option.
One may need to:
query-source
option and restart Bindsudo apt-get install namebench
https://forums.extrahop.com/t/tip-of-the-week-dns-servfail-dns-nxdomain-truncated-dns-requests/138
SERVFAIL messages show that the fully qualified domain name (FQDN) that has been looked up does exist, that the root name servers have information on the domain but that the authoritative name servers are not answering queries for this domain.
SERVFAIL messages can also result from DNSSEC problems. You might try removing DNSSEC records at your registrar.
For NXDOMAIN, you need to track down the registrar with a tool such as 'whois' and find out why the domain is no longer available.
http://serverfault.com/questions/629367/dns-external-lookup-servfail
Name server 'glue' records (child name servers) at the registrar have a long TTL…often 48 hours. Changing IP addresses of these servers takes a long time.
dig +trace <domain>
dig +trace
follows the whole chain from the beginning…it queries root servers, then .info servers then your name servers. Thus it avoids any caching resolvers, and also avoids propagation issues.