DNS resolution failure - FORMERR

Eric Swenson eric at swenson.org
Tue May 5 17:24:20 UTC 2009


I'm seeing lots of DNS resolution failures on my router (running Utuntu
8.10, bind 9.3.4).  While most succeed, I get quite a few FORMERR errors
similar to:
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 66.151.140.2#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.168.3.1#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.112.36.4#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 128.63.2.53#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.228.79.201#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.36.148.17#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 202.12.27.33#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.33.4.12#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.5.5.241#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.58.128.30#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 128.8.10.90#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 198.41.0.4#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 192.203.230.10#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 193.0.14.129#53
May  4 20:25:25 localhost named[19579]: FORMERR resolving '
imap.gmail.com/A/IN': 199.7.83.42#53

I'm running an iptables firewall on this box, which is connected to the
internet via a wireless access point on my roof with a link to my ISP.  As a
result of the above FORMERRs, clients on my lan are unable to resolve
addresses -- in the above case, imap.gmail.com, and therefore are unable to
access mail.  Upon the recommendations of someone familiar with the relevant
technologies, I've updated my DNS (named.conf) to set the edns-udp-size 500
option.  This had no effect.

If I use dig to resolve imap.gmail.com manually, by specifying any of the
above-mentioned DNS servers, everything works fine.  Also, when clients
within my network fail to have imap.gmail.com resolve, I can "fix" things
for a short while, by simply issuing the following:

nslookup
set querytype=ns
gmail.com.
lserver <whatever-the-ns-server-is-for-gmail.com>
set querytype=a
imap.gmail.com

Once I've done the above, my DNS server caches the A record for
imap.gmail.com and happily hands it out until the cache time is exceeded,
when I'm back getting FORMERRs and failing to resolve imap.gmail.com.

There are other addresses than imap.gmail.com that cannot be resolved due to
FORMERRs, but this domain name is the most prevalent, and most annoying,
since it prevents users within my network from getting mail.

Since I can force my DNS to resolve these addresses by issuing the above
queries, I'm wondering if the problem is due to having the following in my
named.conf:

 forwarders {
         192.168.3.1;
         66.151.140.2;
 };

My ISP provides the above two DNS servers and I have mine delegating to
theirs.  Perhaps one of these two DNS servers (or any that they forward to)
is having problems (perhaps no EDNS0 support?), which causes the FORMERRs to
be reported by my DNS server.

I haven't yet tried removing the forwarders.  I figured this was not the
issue because the FORMERR log messages suggest (to me) that my DNS is trying
to contact the root servers itself (and not relying on the downstream DNS
servers to do so).

Does anyone have ideas about what is going on?

Thanks much. -- Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090505/4bb92eaf/attachment.html>


More information about the bind-users mailing list