I have a caching bind server on my local network, with the below entry:

zone "." IN {
type hint;
file "root.hint";
};

The root.hint file is ftp://ftp.internic.net/domain/named.root

Everything works fine and has been working fine for a long time. But suddenly, within the past day, it returns SERVFAIL for the one doimain archives.gov (e.g. www.archives.gov).

Lookups of all the other domains and servers work fine. It's just this one that causes a SERVFAIL. If I direct nslookup to use my ISP-provided name server (75.75.75.75) directly, things work. But they should work with my own name server, because everything else works.

Let me re-iterate: lookups of ALL OTHER SERVER NAMES that I've tried work just fine. It's just this one, specific server (or domain?) that is returning SERVFAIL.

Below is some troubleshooting output, but I don't know enough about DNS to make use of the information:

$ dig www.archives.gov IN

; <<>> DiG 9.11.0-P3 <<>> www.archives.gov IN
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63313
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ff2e05631e7d9753b457eefb58e861c3f5675b5c5ff03058 (good)
;; QUESTION SECTION:
;www.archives.gov. IN A

;; Query time: 0 msec
;; SERVER: 192.168.2.8#53(192.168.2.8)
;; WHEN: Sat Apr 08 00:06:27 EDT 2017
;; MSG SIZE rcvd: 73

$ dig @75.75.75.75 www.archives.gov IN

; <<>> DiG 9.11.0-P3 <<>> @75.75.75.75 www.archives.gov IN
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 165
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.archives.gov. IN A

;; ANSWER SECTION:
www.archives.gov. 300 IN CNAME dualstack.archives-gov-prod-publicelb-938503165.us-east-1.elb.amazonaws.com.
dualstack.archives-gov-prod-publicelb-938503165.us-east-1.elb.amazonaws.com. 60IN A 34.204.154.234
dualstack.archives-gov-prod-publicelb-938503165.us-east-1.elb.amazonaws.com. 60IN A 34.192.218.114

;; Query time: 48 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Sat Apr 08 00:07:12 EDT 2017
;; MSG SIZE rcvd: 166

The log output of named looks like this:

Apr 08 00:10:44 peter named[2739]: DNS format error from 208.44.130.121#53 resolving www.archives.gov/A for client 192.168.2.8#54480: too many questions
Apr 08 00:10:44 peter named[2739]: network unreachable resolving 'www.archives.gov/A/IN': 2001:428::7#53
Apr 08 00:10:44 peter named[2739]: network unreachable resolving 'www.archives.gov/A/IN': 2001:428::8#53
Apr 08 00:10:44 peter named[2739]: DNS format error from 63.150.72.5#53 resolving www.archives.gov/A for client 192.168.2.8#54480: too many questions
Apr 08 00:10:45 peter named[2739]: DNS format error from 208.44.130.121#53 resolving www.archives.gov/A for client 192.168.2.8#54480: too many questions
Apr 08 00:10:46 peter named[2739]: DNS format error from 63.150.72.5#53 resolving www.archives.gov/A for client 192.168.2.8#54480: too many questions
Apr 08 00:10:47 peter named[2739]: DNS format error from 208.44.130.121#53 resolving www.archives.gov/DS: too many questions
Apr 08 00:10:48 peter named[2739]: network unreachable resolving 'www.archives.gov/DS/IN': 2001:428::7#53
Apr 08 00:10:48 peter named[2739]: network unreachable resolving 'www.archives.gov/DS/IN': 2001:428::8#53
Apr 08 00:10:48 peter named[2739]: DNS format error from 63.150.72.5#53 resolving www.archives.gov/DS: too many questions
Apr 08 00:10:49 peter named[2739]: DNS format error from 208.44.130.121#53 resolving www.archives.gov/DS: too many questions
Apr 08 00:10:50 peter named[2739]: DNS format error from 63.150.72.5#53 resolving www.archives.gov/DS: too many questions
Apr 08 00:10:57 peter named[2739]: no valid DS resolving 'www.archives.gov/DS/IN': 208.44.130.121#53

Thank you in advance for taking a look. Can anybody make sense of this?

Let me state once more (because it really is puzzling for me): All other lookups work, except for this one site (which is the National Archives, by the way).

No answers? No further troubleshooting suggestions?

I finally just added a special rule to foward to my ISP's server for that one domain; but if anybody has any idea what's going on, I would really appreciate any answers or information, even if it's not something I can fix--just for my own edification.

Again, thanks in advance.

At a guess you're firewall is blocking connections to the name server(s) that would resolve the record. Dig shows the authoritative name servers are:

us-east-1.elb.amazonaws.com. 96 IN NS ns-1793.awsdns-32.co.uk.
us-east-1.elb.amazonaws.com. 96 IN NS ns-934.awsdns-52.net.
us-east-1.elb.amazonaws.com. 96 IN NS ns-235.awsdns-29.com.
us-east-1.elb.amazonaws.com. 96 IN NS ns-1119.awsdns-11.org

Is it possible you're blocking the IP of one or more of those (e.g. the one in the UK)? I've seen this kind of fail before when we were doing geographic blocking and/or a firewall device had miscategorized an IP that had changed. (e.g. We saw a site getting blocked because the IP it had for one of its servers was originally assigned for "gaming" and later assigned to something valid for our business but the firewall provider's software hadn't re-categorized until we contacted the firewall provider.)

Thanks for the suggestion, @MensaWater.

Well, it wouldn't be my internal firewall. But to check, I did the following. If there is some firewall blocking those, then it's not a general block (e.g., ICMP packets are getting through.) Is there another check I could perform?

[root@peter ~]# ping ns-1793.awsdns-32.co.uk
PING ns-1793.awsdns-32.co.uk (205.251.199.1) 56(84) bytes of data.
64 bytes from ns-1793.awsdns-32.co.uk (205.251.199.1): icmp_seq=1 ttl=52 time=22.8 ms
64 bytes from ns-1793.awsdns-32.co.uk (205.251.199.1): icmp_seq=2 ttl=52 time=22.7 ms
64 bytes from ns-1793.awsdns-32.co.uk (205.251.199.1): icmp_seq=3 ttl=52 time=23.4 ms
64 bytes from ns-1793.awsdns-32.co.uk (205.251.199.1): icmp_seq=4 ttl=52 time=57.2 ms
64 bytes from ns-1793.awsdns-32.co.uk (205.251.199.1): icmp_seq=5 ttl=52 time=22.6 ms
^C
--- ns-1793.awsdns-32.co.uk ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4392ms
rtt min/avg/max/mdev = 22.682/29.802/57.275/13.739 ms
[root@peter ~]# ping ns-934.awsdns-52.net
PING ns-934.awsdns-52.net (205.251.195.166) 56(84) bytes of data.
64 bytes from ns-934.awsdns-52.net (205.251.195.166): icmp_seq=1 ttl=50 time=71.6 ms
64 bytes from ns-934.awsdns-52.net (205.251.195.166): icmp_seq=2 ttl=50 time=71.0 ms
64 bytes from ns-934.awsdns-52.net (205.251.195.166): icmp_seq=3 ttl=50 time=76.7 ms
64 bytes from ns-934.awsdns-52.net (205.251.195.166): icmp_seq=4 ttl=50 time=71.2 ms
^C
--- ns-934.awsdns-52.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 71.073/72.684/76.750/2.374 ms
[root@peter ~]# ping ns-235.awsdns-29.com
PING ns-235.awsdns-29.com (205.251.192.235) 56(84) bytes of data.
64 bytes from ns-235.awsdns-29.com (205.251.192.235): icmp_seq=1 ttl=51 time=23.9 ms
64 bytes from ns-235.awsdns-29.com (205.251.192.235): icmp_seq=2 ttl=51 time=23.1 ms
64 bytes from ns-235.awsdns-29.com (205.251.192.235): icmp_seq=3 ttl=51 time=25.0 ms
64 bytes from ns-235.awsdns-29.com (205.251.192.235): icmp_seq=4 ttl=51 time=22.8 ms
^C
--- ns-235.awsdns-29.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3048ms
rtt min/avg/max/mdev = 22.860/23.743/25.061/0.878 ms
[root@peter ~]# ping ns-1119.awsdns-11.org
PING ns-1119.awsdns-11.org (205.251.196.95) 56(84) bytes of data.
64 bytes from ns-1119.awsdns-11.org (205.251.196.95): icmp_seq=1 ttl=42 time=186 ms
64 bytes from ns-1119.awsdns-11.org (205.251.196.95): icmp_seq=2 ttl=42 time=191 ms
64 bytes from ns-1119.awsdns-11.org (205.251.196.95): icmp_seq=3 ttl=42 time=186 ms
^C
--- ns-1119.awsdns-11.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 186.470/188.299/191.793/2.496 ms
[root@peter ~]#

What if you try telnet or nc to port 53 of each of those? It is port 53 that listens for DNS queries.

Also if you do "dig +trace" for the name does it show you being stopped at any intermediate hop (e.g. a root server or a Registrar's server)?