Macos: cannot do recursive NS lookups

Ondřej Surý ondrej at isc.org
Wed May 6 03:55:14 UTC 2026 

There’s no AA flag in the response in the response and there are RD and RA flags. Hence bácl to what I wrote earlier - there’s transparent DNS proxy on your network ne your DNS traffic is being intercepted and rewritten.
--
Ondřej Surý (He/Him)
ondrej at isc.org

ADHD brain at work: I sometimes lose track of my inbox. Please feel free to send a gentle nudge if you're waiting on a reply!

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 6. 5. 2026, at 2:41, Mark Strohm <markdstrohm at gmail.com> wrote:
> Hello Greg-
> 
> Thanks for the reply.  I switched named.conf to the Homebrew default,
> set the log severity to debug 11, and monitored with Wireshark.
> 
> Two things:
>  1) bind is querying the root servers for something, and getting back
> the list of root servers.  Hence some of the "non-improving referral"
> errors.
>  2) For isc.org ns, it receives a very reasonable looking response,
> then declares a "format error".  See below.
> 
> 
> -----
> 
> named.conf:
> 
> logging {
>    category default {
>        _default_log;
>    };
>    channel _default_log {
>        file "/usr/local/var/log/named/named.log" versions 10 size 1m;
>        severity debug 11;
>        print-time yes;
>    };
> };
> 
> options {
>    directory "/usr/local/var/named";
> };
> 
> -----
> 
> dig @127.0.0.1 isc.org ns:
> 
> ; <<>> DiG 9.20.22 <<>> @127.0.0.1 isc.org ns
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15506
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 12bf134d8ab82a1f0100000069fa702b7af885273613e7a0 (good)
> ;; QUESTION SECTION:
> ;isc.org. IN NS
> 
> ;; Query time: 270 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> ;; WHEN: Tue May 05 15:33:15 PDT 2026
> ;; MSG SIZE  rcvd: 64
> 
> -----
> 
> From the log file:
> 
> 05-May-2026 15:33:14.946 sending packet to 51.75.79.143#53
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  18818
> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1232
> ; COOKIE: 37203429eaaac686
> ;; QUESTION SECTION:
> ;isc.org. IN NS
> 
> 
> 05-May-2026 15:33:15.000 received packet from 51.75.79.143#53
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  18818
> ;; flags: qr rd ra; QUESTION: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 13
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1232
> ;; QUESTION SECTION:
> ;isc.org. IN NS
> 
> ;; ANSWER SECTION:
> ;isc.org. 253 IN NS nsp.dnsnode.net.
> ;isc.org. 253 IN NS ns.isc.afilias-nst.info.
> ;isc.org. 253 IN NS ns3.isc.org.
> ;isc.org. 253 IN NS ns1.isc.org.
> ;isc.org. 253 IN NS ns2.isc.org.
> ;isc.org. 253 IN RRSIG NS 13 2 7200 (
> ; 20260517224622 20260503222353 27566 isc.org.
> ; TaBtsBPDE7jaRThZXwtEr6AOmhlQ
> ; LVC7OixA12UQGaySbobHaEMAzBWM
> ; s09WxV3Lx/ID0RcXbLQ7Rln2kNT9
> ; iw== )
> 
> ;; ADDITIONAL SECTION:
> ;ns1.isc.org. 253 IN A 149.20.2.26
> ;ns1.isc.org. 253 IN AAAA 2001:500:6b:2::26
> ;ns1.isc.org. 253 IN RRSIG A 13 3 7200 (
> ; 20260518111515 20260504104234 27566 isc.org.
> ; rvGvhZFmzoCp+o0sXy48v1z2fAUo
> ; JeNJdvCk9akPpkq/MYcrkP3Zwdwi
> ; Og+rRtnaVdsmVSRZtos9a5zAIM0x
> ; wg== )
> ;ns1.isc.org. 253 IN RRSIG AAAA 13 3 7200 (
> ; 20260518111515 20260504104234 27566 isc.org.
> ; X60RcyIUKZQwOsb5YRHYBJHKMvOF
> ; 6kN1yzW7qjMcu7p+fWV+/DjTG5Sc
> ; ERZeEgz127O7Y8Cf/Cjz4NNgJnQQ
> ; Bg== )
> ;ns2.isc.org. 253 IN A 199.6.1.52
> ;ns2.isc.org. 253 IN AAAA 2001:500:60:d::52
> ;ns2.isc.org. 253 IN RRSIG A 13 3 7200 (
> ; 20260518111759 20260504105029 27566 isc.org.
> ; 9RqgaC0qRsNhr+wnD1NU4pccHyPh
> ; JjSHjjgO2/CalXQzT+KCWc/v4Hic
> ; gcC0eln4YTRQ91N///eXLnTUsD1z
> ; lA== )
> ;ns2.isc.org. 253 IN RRSIG AAAA 13 3 7200 (
> ; 20260518111515 20260504104234 27566 isc.org.
> ; wFxIauHbPMI1ccRccaO0VEzumAhp
> ; xw/T5L3HUKKH2UASaXjc1hU6Kw42
> ; hEYhg2g7uKJ+b3YaH8FD6Babuxwg
> ; iQ== )
> ;ns3.isc.org. 253 IN A 51.75.79.143
> ;ns3.isc.org. 253 IN AAAA 2001:41d0:701:1100::2c92
> ;ns3.isc.org. 253 IN RRSIG A 13 3 7200 (
> ; 20260518111515 20260504104234 27566 isc.org.
> ; QSq3Op3j2mJCrc12Meiz6jYy2B/K
> ; lEHEcWXV3YRuN06uuxpGamhVw0IG
> ; fbru0ZwpNjDMC1FofIITk1zo7hyS
> ; DQ== )
> ;ns3.isc.org. 253 IN RRSIG AAAA 13 3 7200 (
> ; 20260518111515 20260504104234 27566 isc.org.
> ; /9Spkv/tFLBQS+us5Heo4tP9yvkd
> ; tTxbCFfE0kJUPVpQNKA0edC9wTNB
> ; U8NW3nCaOokXCNEC/pxqoRv32I3f
> ; 9g== )
> 
> 
> 05-May-2026 15:33:15.000 log_ns_ttl: fctx 0x2cfd35000:
> rctx_answer_none: isc.org (in 'isc.org'?): 1 254
> 05-May-2026 15:33:15.000 DNS format error from 51.75.79.143#53
> resolving isc.org/NS for 127.0.0.1#51070: non-improving referral
> 05-May-2026 15:33:15.000 FORMERR resolving 'isc.org/NS/IN': 51.75.79.143#53
> 
> 
>> Greg Choules <gregchoules at googlemail.com>
>> 
>> 9:25 AM (8 hours ago)
>> to me, bind-users
>> Hello Mark.
>> I have the current MacOS on Apple Silicon and 9.20.22, installed via Homebrew, and it works for > me.
>> Perhaps you could share your config, dig test and results and maybe a pcap.
>> 
>> Cheers, Greg
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.

More information about the bind-users mailing list