http://code.google.com/p/namebench/

Newer DNS servers may fail to resolve when requests come from UDP port 53, rather than from a high (1024+), random port.

Bind name servers now default to random query source ports. See Bind query-source option.

One may need to:

1. Comment out an existing query-source option and restart Bind
2. Adjust the firewall to allow all outgoing connections to UDP (and TCP) port 53

sudo apt-get install namebench

http://www.codeproject.com/Articles/13986/Test-Your-DNS-Response-Times-with-DNS-Tester

http://mxtoolbox.com/

https://testconnectivity.microsoft.com/

https://forums.extrahop.com/t/tip-of-the-week-dns-servfail-dns-nxdomain-truncated-dns-requests/138

SERVFAIL messages show that the fully qualified domain name (FQDN) that has been looked up does exist, that the root name servers have information on the domain but that the authoritative name servers are not answering queries for this domain.

SERVFAIL messages can also result from DNSSEC problems. You might try removing DNSSEC records at your registrar.

For NXDOMAIN, you need to track down the registrar with a tool such as 'whois' and find out why the domain is no longer available.

http://serverfault.com/questions/629367/dns-external-lookup-servfail

Name server 'glue' records (child name servers) at the registrar have a long TTL…often 48 hours. Changing IP addresses of these servers takes a long time.

dig +trace <domain>

dig +trace follows the whole chain from the beginning…it queries root servers, then .info servers then your name servers. Thus it avoids any caching resolvers, and also avoids propagation issues.