parent dns answers the ARR of child dns

Kevin Darcy kcd at
Mon Dec 7 23:10:22 UTC 2009

Tech W. wrote:
> --- On Fri, 4/12/09, Kevin Darcy <kcd at> wrote:
>> From: Kevin Darcy <kcd at>
>> Subject: Re: parent dns answers the ARR of child dns
>> To: bind-users at
>> Received: Friday, 4 December, 2009, 1:56 AM
>> Not only that, but is
>> performing recursion, while not 
>> setting RA in, and not copying RD into, the header of the
>> response.
>> % dig
>> ; <<>> DiG 9.3.0 <<>>
>> ;; global options: printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
>> id: 593
>> ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 1,
>> ; IN A
>> 30 IN A
>> 30 IN A
>> 30 IN A
>> I suspect this is YABDLBD (Yet Another Brain-Damaged
>> Load-Balancer 
>> Device). Or a defective DNS proxy.
> Thanks for your answers.
> But is a Windows DNS Server running on MS Advanced Server,
> not a proxy or load-balancer.
>> While the cache is populated with these records, even
>> *non-recursive* 
>> queries will be given this answer directly, instead of a
>> referral. Once 
>> the records time out, referrals are given again.
> Yes I am also confused by this behavior.
> So do you have any suggestion how to resolve it?
> I want, any query to the subzone should be answered by subzone's NS server, not by the parent one.
This can't happen as long as the parent nameserver keeps on recursing 
queries and then responding with cached answers to those 
previously-recursed queries.

This isn't a Microsoft DNS mailing list, and I'm not that familiar with 
Microsoft DNS, so about the only advice I can give you is look through 
the config and see where to turn off recursion completely. If that's not 
possible, because the server also needs to act as a resolver for some 
set of clients, then I don't know how such requirements are met, if at 
all, by Microsoft DNS. I don't think that product has a "view" feature, 
for instance.

Even if Microsoft provides fine-grained control of who can recurse and 
who can't, that alone still might not solve your problem, since you can 
never control if and when one or more of its "authorized" clients may 
look up and then that answer will be cached for 
some period of time. You'd also need, at a bare minimum, fine-grained 
control over who can query the cache (e.g. something analogous to 
allow-query-cache), in order to really pull that off.

- Kevin

More information about the bind-users mailing list