Macos: cannot do recursive NS lookups

Ondřej Surý ondrej at isc.org
Wed May 6 06:31:17 UTC 2026 

Sure,

dig +norec +qr www.isc.org @149.20.2.26

; <<>> DiG 9.21.22-dev <<>> +norec +qr www.isc.org @149.20.2.26
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11462
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 03b89b35f17f0be3
;; QUESTION SECTION:
;www.isc.org.                   IN      A

;; QUERY SIZE: 52

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11462
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 03b89b35f17f0be30100000069fae02da0c9f2162bb26ae2 (good)
;; QUESTION SECTION:
;www.isc.org.                   IN      A

;; ANSWER SECTION:
www.isc.org.            300     IN      CNAME   isc.map.fastlydns.net.

;; Query time: 164 msec
;; SERVER: 149.20.2.26#53(149.20.2.26) (UDP)
;; WHEN: Wed May 06 08:31:10 CEST 2026
;; MSG SIZE  rcvd: 103

--
Ondřej Surý (He/Him)
ondrej at isc.org

ADHD brain at work: I sometimes lose track of my inbox. Please feel free to send a gentle nudge if you're waiting on a reply!

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 6. 5. 2026, at 8:26, Mark Strohm <markdstrohm at gmail.com> wrote:
> 
> Can you think of anything in very recent versions of bind that might
> have triggered this?
> 
> The problem appeared on startup when I switched in the latest
> versions,  It was not present  before (I checked the log files).
> These systems were working correctly for seven years with the same
> network provider.
> 
> Can you suggest a test to confirm the rewriting?
> 
> Thank you very much.
> 
> 
>> Ondřej Surý <ondrej at isc.org>
>> 8:55 PM (1 hour ago)
> t> to me, bind-users
>> 
>> There’s no AA flag in the response in the response and there are RD and RA flags. Hence bácl to what I wrote earlier - there’s transparent DNS proxy on your network ne your DNS traffic is being intercepted and rewritten.
>> --
>> Ondřej Surý (He/Him)
>> ondrej at isc.org
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.

More information about the bind-users mailing list