how does BIND resolvers pick the authoritative servers to query

Shawn Zhou shawnzhou00 at
Wed May 9 00:12:31 UTC 2018

I am seeing occasional SERVFAILs when I flush BIND cache then run test queries with dig.
Can someone let me know how BIND picks the authoritative server to query?

>From what I know, BIND picks an authoritative server by assign random RTT to authoritative servers then queries the one with smallest RTT. If BIND picks an ipv6 authoritative server, and it can't reach it due to iptables/networking route and etc. Will it try the next authoritative which maybe an ipv4 authoritative server?

The particular record that I have problems is which has two auths ( and Both of these auths have ipv4 and ipv6 address. This is how to run my tests:
for i in {1..10}; do rndc flush; dig @localhost; sleep 3; done |grep -i status
I wonder the SERVFAILs I see is due BIND picks the ipv6 auth which is not reachable and causes SERVFAILs.

After I updated BIND (9.11.2) to only do ipv4, my test queries went fine without issues.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list