If it is not a local DPI problem then the only other thing is that domaincontrol.com in using anycast and one or more of the sites is using using nameservers that don't respond to EDNS queries or has a firewall that blocks EDNS queries.
Mark % traceroute -I ns33.domaincontrol.com traceroute to ns33.domaincontrol.com (216.69.185.17), 64 hops max, 60 byte packets 1 bsdi (192.168.191.233) 6.502 ms 8.335 ms 2.612 ms 2 10.72.0.1 (10.72.0.1) 8.692 ms 8.043 ms 8.030 ms 3 bla2-ge0-1.gw.optusnet.com.au (198.142.160.185) 15.227 ms 11.729 ms 18.273 ms 4 sbr3-ge14-0-0-821.gw.optusnet.com.au (211.29.156.12) 12.359 ms 8.048 ms 12.295 ms 5 203.208.191.73 (203.208.191.73) 176.409 ms 172.225 ms 171.329 ms 6 203.208.182.105 (203.208.182.105) 171.568 ms POS3-2.sngtp-ar2.ix.singtel.com (203.208.182.205) 171.644 ms 203.208.182.105 (203.208.182.105) 174.667 ms 7 ge-4-0-0-0.plapx-cr2.ix.singtel.com (203.208.183.173) 179.206 ms xe-1-0-0-0.plapx-cr2.ix.singtel.com (203.208.183.169) 172.409 ms 174.681 ms 8 ge-3-0-0-0.sngtp-dr1.ix.singtel.com (203.208.183.66) 360.125 ms 360.272 ms so-3-0-3-0.sngtp-cr1.ix.singtel.com (203.208.151.213) 360.054 ms 9 ge-4-0-0-0.sngtp-cr2.ix.singtel.com (203.208.182.102) 349.780 ms ge-1-0-0-0.sngc3-dr1.ix.singtel.com (203.208.173.134) 359.751 ms ae0-0.sngtp-cr2.ix.singtel.com (203.208.183.58) 381.008 ms 10 203.208.131.10 (203.208.131.10) 353.688 ms 378.354 ms ge-3-0-0-0.sngtp-dr1.ix.singtel.com (203.208.183.66) 374.032 ms 11 ge-0-0-0-0.sngc3-dr1.ix.singtel.com (203.208.149.77) 370.884 ms 363.593 ms ip-182-50-156-165.ip.secureserver.net (182.50.156.165) 382.590 ms 12 203.208.131.10 (203.208.131.10) 352.356 ms 355.794 ms ip-182-50-156-154.ip.secureserver.net (182.50.156.154) 370.840 ms 13 ip-182-50-156-150.ip.secureserver.net (182.50.156.150) 372.826 ms 341.247 ms 340.792 ms 14 ns33.domaincontrol.com (216.69.185.17) 342.589 ms 367.762 ms ip-182-50-156-154.ip.secureserver.net (182.50.156.154) 371.792 ms % dig +short +dnssec @ns33.domaincontrol.com. replacementservices.com. 72.32.12.235 % % traceroute -I ns33.domaincontrol.com traceroute to ns33.domaincontrol.com (216.69.185.17), 64 hops max, 60 byte packets 1 main.f1.sql1.isc.org (204.152.187.254) 0.288 ms 0.260 ms 0.203 ms 2 core.r1.sql1.isc.org (149.20.48.65) 2.226 ms 2.253 ms 0.966 ms 3 int-0-4-0-0.r1.pao1.isc.org (149.20.65.9) 2.722 ms 1.147 ms 3.836 ms 4 ge-9-15-1G.ar1.PAO2.gblx.net (64.215.195.21) 74.308 ms 74.351 ms 74.134 ms 5 64.209.110.218 (64.209.110.218) 19.212 ms 33.005 ms 71.280 ms 6 ip-208-109-112-153.ip.secureserver.net (208.109.112.153) 19.890 ms 21.273 ms 20.580 ms 7 ip-208-109-112-142.ip.secureserver.net (208.109.112.142) 19.835 ms 25.676 ms 18.667 ms 8 ip-208-109-114-129.ip.secureserver.net (208.109.114.129) 19.844 ms 20.143 ms 20.079 ms 9 ip-97-74-252-18.ip.secureserver.net (97.74.252.18) 20.839 ms 20.461 ms 22.330 ms 10 ns33.domaincontrol.com (216.69.185.17) 21.460 ms 21.474 ms 21.827 ms % dig +short +dnssec @ns33.domaincontrol.com. replacementservices.com. 72.32.12.235 % -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users