Server Fail and a non-recursive server

James Raftery james-bind-users at
Thu Mar 1 20:12:20 UTC 2001

On Thu, Mar 01, 2001 at 02:47:47PM -0500, Don Robertson wrote:
> It needs only be authoritive for its own zones, so we have recursion turned
> off and no 'hints' file.
> The problem is that we keep getting requests for domains that we are not
> hosting. These requests are reoccuring and we believe this is because BIND
> answers them with a "Server Fail" rather than a "NXDOMAIN" (name error).

NXDOMAIN means something different. It means that no records of any type
exist for the name queried. Only a server authoritative for the relevant
zone, or a resolver which has contacted an authoritative server, should
return NXDOMAIN for a query.

> 1) Is there a way to configure BIND 8.2.3 so that it will be non-recursive,
> yet not return server fail responses when it gets a domain name that it
> doesn't know about, putting out NXDOMAIN instead?

Not NXDOMAIN. You're giving out SERVFAIL because your server wants to
give a referral in its response but it can't because it doesn't have a
view of the root servers. Give it the root hints file. It will respond
with a referral to the root. This is The Right Thing To Do (tm).

> 2) Do these server fail messages really cause the requesting servers to keep
> trying?


> 3) Any idea why we keep getting requests for these domains (with illegal
> underscore characters in them)?:

Microsoft Active Directory.

James Raftery (JBR54)
  "It's somewhere in the Red Hat district"  --  A network engineer's
   freudian slip when talking about Amsterdam's nightlife at RIPE 38.

More information about the bind-users mailing list