Two DNS Servers inside a firewall

Mark Andrews Mark_Andrews at isc.org
Fri Sep 5 02:02:23 UTC 2008


> FORMERR is strange. Generally speaking, you should not be seeing FORMERR 
> in queries between 2 different BIND instances.
> 
> It's looking increasingly to me like a bad NAT/PAT device, mangling your 
> packets. Maybe it doesn't understand EDNS0 (?) My next step would 
> probably be to run a packet trace/capture, although, on the off-chance 
> that it's EDNS0-related, you might try turning that off and see if it 
> makes a difference.
> 
>                                                                          
>    - Kevin

	Named logs FORMERR when it receives a unexpected SOA record
	on a response.

	If you delegate to foo.example.net and the nameserver has
	their own copy of example.net rather than foo.example.net
	you will get a unexpected SOA records in the negative
	response.

	Below is a example of such a bad delegation.  The last SOA
	record should be owned by www.lawlink.nsw.gov.au not
	lawlink.nsw.gov.au.  It results in SERVFAIL being returned.

	Mark


; <<>> DiG 9.3.4-P1 <<>> aaaa www.lawlink.nsw.gov.au
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56606
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.lawlink.nsw.gov.au.		IN	AAAA

;; Query time: 63 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep  5 12:01:30 2008
;; MSG SIZE  rcvd: 40

; <<>> DiG 9.3.4-P1 <<>> www.lawlink.nsw.gov.au aaaa +trace
;; global options:  printcmd
.			440024	IN	NS	h.root-servers.net.
.			440024	IN	NS	d.root-servers.net.
.			440024	IN	NS	g.root-servers.net.
.			440024	IN	NS	i.root-servers.net.
.			440024	IN	NS	b.root-servers.net.
.			440024	IN	NS	l.root-servers.net.
.			440024	IN	NS	m.root-servers.net.
.			440024	IN	NS	e.root-servers.net.
.			440024	IN	NS	f.root-servers.net.
.			440024	IN	NS	a.root-servers.net.
.			440024	IN	NS	j.root-servers.net.
.			440024	IN	NS	c.root-servers.net.
.			440024	IN	NS	k.root-servers.net.
;; Received 504 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms

au.			172800	IN	NS	ns1.audns.net.au.
au.			172800	IN	NS	dns1.telstra.net.
au.			172800	IN	NS	sec1.apnic.net.
au.			172800	IN	NS	sec3.apnic.net.
au.			172800	IN	NS	adns1.berkeley.edu.
au.			172800	IN	NS	adns2.berkeley.edu.
au.			172800	IN	NS	audns.optus.net.
au.			172800	IN	NS	aunic.aunic.net.
;; Received 430 bytes from 2001:500:1::803f:235#53(h.root-servers.net) in 244 ms

lawlink.nsw.gov.au.	3600	IN	NS	ns3.uecomm.net.au.
lawlink.nsw.gov.au.	3600	IN	NS	ns1.uecomm.net.au.
lawlink.nsw.gov.au.	3600	IN	NS	ns2.uecomm.net.au.
;; Received 105 bytes from 58.65.255.73#53(ns1.audns.net.au) in 42 ms

www.lawlink.nsw.gov.au.	3600	IN	NS	ns1.lawlink.nsw.gov.au.
www.lawlink.nsw.gov.au.	3600	IN	NS	ns2.lawlink.nsw.gov.au.
;; Received 108 bytes from 203.94.128.54#53(ns1.uecomm.net.au) in 39 ms

lawlink.nsw.gov.au.	86400	IN	SOA	lawlink.nsw.gov.au. administrator.lawlink.nsw.gov.au. 998545544 28800 7200 604800 86400
;; Received 144 bytes from 203.3.186.53#53(ns1.lawlink.nsw.gov.au) in 32 ms

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-users mailing list