Understanding cause of DNS format error (FORMERR)

Carsten Strotmann (private) cas at strotmann.de
Sun Jun 24 07:45:34 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Gabriele,

On 6/24/12 5:57 AM, Gabriele Paggi wrote:
> Hello Carsten,
> 
> Thanks for your reply!
>> about the FORMERR. This might be caused by a Firewall or other 
>> middlebox that truncates the large answer containing the NS
>> record set for this domain.
>> 
>> I see the same if I try to fetch the delegation NS records from
>> the parent domain (microsoft.com) for
>> partners.extranet.microsoft.com:
> That doesn't explain why I get a correct reply to my query if I use
> a Windows DNS or one of the Google DNS (what software do they run?)
> or my home ISP DNS (UPC, Netherlands).

what we see is that we get different responses for the NS record set
for "partners.extranet.microsoft.com":

1) a list of 4 NS records (dns10/11/12/13.one.microsoft.com) with
public route-able IPv4 addresses, answer size is around 200 byte

2) a list of 18 NS records
(xxxx-ptnr-dc-02.partners.extranet.microsoft.com.) with private RFC
1918 addresses and an answer size of above 800 byte. These are
internal domain controllers.

The answer size of 800 bytes can create the FORMERR issue.

I'm using BIND 9.9.1(-P1) and Unbound 1.4.17 here. Today I'm getting
answer type 1) from my home and also from a machine in the datacenter,
yesterday I'm seen answer type 2) and the FORMERR.

The FORMERR I'm seeing is also quite odd, as it has the "AD" flag set,
which should normally not appear in an error type of response, but
might be caused by a mangled DNS packet:

;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 30679
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

I have no explanation of this issue at the moment.

To my knowledge Google is using a homegrown DNS resolver, not BIND.

Best regards

Carsten Strotmann

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/mxZ4ACgkQsUJ3c+pomYHc6QCfeONcluurcPOX4dMqMWDm4pnf
SlgAnAxlJ1UQRSdE+WgN28RYVBmo/N03
=DT/n
-----END PGP SIGNATURE-----

More information about the bind-users mailing list