[lewisheadden]

They actually seem to work fine but you have to set the non-recursive bit.

  $ dig ns io @b.nic.ac +short

  ; <<>> DiG 9.8.3-P1 <<>> ns io @b.nic.ac +short
  ;; global options: +cmd
  ;; connection timed out; no servers could be reached
  $ dig ns io @b.nic.ac +short +norec
  b.ns13.net.
  [... extracted for brevity]
  ns3.icb.co.uk.

[kijeda]

This is the correct answer. The monitoring tool is sending the wrong kind of DNS queries to these servers, and these servers are filtering them out. You can argue the servers should at least respond with an error, however they are functioning correctly when you ask them for an authoritative response (i.e. a delegation)

[sajal83]

(monitoring tool author here) Agree. Makes sense. We should have run this test with RD bit unset.

But .. IIRC if RD is set when quering a non-recursive, it should respond normally with authoritative response Recursion Available (RA) flag unset. It does not mean it should drop the query totally.

[jamiesonbecker]

Dropping bad queries is often a DDoS countermeasure.

[skion]

This is indeed a typical configuration for authoritative name servers.