BIND 9.21.22 and logging of REFUSED and FORMERR

Fri May 29 05:24:04 UTC 2026

Hi there,

have you tried something like this below ?

     category lame-servers { lame;};
     channel lame {
         null;
     };

Cheers

-Carlos

On 28/05/2026 22:18, Darren Ankney wrote:
> Hello Steinar,
>
>> If I try 9.21.22 on one of our active resolvers (~ 30k qps or more),
> First, I wanted to point out that 9.21.22 is in the development branch
> and not recommended for production use, in case you didn't know that.
> Second, if you could share your current logging configuration someone
> may be able to assist.
>
> Thank you,
> Darren Ankney
>
> On Thu, May 28, 2026 at 3:37 AM <sthaug at nethelp.no> wrote:
>> I'm testing 9.21.22 here, and getting lots of logging of the type
>> "REFUSED unexpected RCODE resolving ...". Example query which
>> results in such logging is asking a 9.21.22 resolver
>>
>> dig keyvalueservice.fe.apple-dns.net
>>
>> and the resolver logs
>>
>> named[3441]: REFUSED unexpected RCODE resolving 'keyvalueservice.fe.apple-dns.net/A/IN': 2600:9000:5306:2400::1#53
>> named[3441]: REFUSED unexpected RCODE resolving 'keyvalueservice.fe.apple-dns.net/A/IN': 2600:9000:5302:ec00::1#53
>> named[3441]: REFUSED unexpected RCODE resolving 'keyvalueservice.fe.apple-dns.net/A/IN': 2600:9000:5301:1f00::1#53
>> named[3441]: REFUSED unexpected RCODE resolving 'keyvalueservice.fe.apple-dns.net/A/IN': 205.251.198.36#53
>> named[3441]: REFUSED unexpected RCODE resolving 'keyvalueservice.fe.apple-dns.net/A/IN': 205.251.194.236#53
>> named[3441]: REFUSED unexpected RCODE resolving 'keyvalueservice.fe.apple-dns.net/A/IN': 205.251.196.100#53
>> named[3441]: REFUSED unexpected RCODE resolving 'keyvalueservice.fe.apple-dns.net/A/IN': 205.251.193.31#53
>> named[3441]: REFUSED unexpected RCODE resolving 'keyvalueservice.fe.apple-dns.net/A/IN': 2600:9000:5304:6400::1#53
>>
>> If I try 9.21.22 on one of our active resolvers (~ 30k qps or more),
>> there is so much logging of this type that it completely swamps any
>> other logging, making the logging basically unusable. The only way I
>> have found of getting rid of REFUSED logging is to use
>>
>> category default { null; };
>>
>> but that also drops basically *all* other logging, which is not
>> desirable.
>>
>> We have much the same problem with logging of "FORMERR resolving ...".
>> e.g.
>>
>> named[3441]: DNS format error from 2a01:111:4000:f00::f0#53 resolving mr-b01.tm-azurefd.net/HTTPS for 2001:8c0:2002:4:193:69:2:2#13481: Name trafficmanager.net (SOA) not subdomain of zone tm-azurefd.net -- invalid response
>> named[3441]: FORMERR resolving 'mr-b01.tm-azurefd.net/HTTPS/IN': 2a01:111:4000:f00::f0#53
>> named[3441]: DNS format error from 2620:1ec:8ec:f00::f0#53 resolving mr-b01.tm-azurefd.net/HTTPS for 2001:8c0:2002:4:193:69:2:2#13481: Name trafficmanager.net (SOA) not subdomain of zone tm-azurefd.net -- invalid response
>> named[3441]: FORMERR resolving 'mr-b01.tm-azurefd.net/HTTPS/IN': 2620:1ec:8ec:f00::f0#53
>> named[3441]: DNS format error from 2603:1061:0:f00::f0#53 resolving mr-b01.tm-azurefd.net/HTTPS for 2001:8c0:2002:4:193:69:2:2#13481: Name trafficmanager.net (SOA) not subdomain of zone tm-azurefd.net -- invalid response
>> named[3441]: FORMERR resolving 'mr-b01.tm-azurefd.net/HTTPS/IN': 2603:1061:0:f00::f0#53
>> named[3441]: DNS format error from 150.171.16.240#53 resolving mr-b01.tm-azurefd.net/HTTPS for 2001:8c0:2002:4:193:69:2:2#13481: Name trafficmanager.net (SOA) not subdomain of zone tm-azurefd.net -- invalid response
>> named[3441]: FORMERR resolving 'mr-b01.tm-azurefd.net/HTTPS/IN': 150.171.16.240#53
>> named[3441]: DNS format error from 13.107.222.240#53 resolving mr-b01.tm-azurefd.net/HTTPS for 2001:8c0:2002:4:193:69:2:2#13481: Name trafficmanager.net (SOA) not subdomain of zone tm-azurefd.net -- invalid response
>> named[3441]: FORMERR resolving 'mr-b01.tm-azurefd.net/HTTPS/IN': 13.107.222.240#53
>> named[3441]: DNS format error from 150.171.10.240#53 resolving mr-b01.tm-azurefd.net/HTTPS for 2001:8c0:2002:4:193:69:2:2#13481: Name trafficmanager.net (SOA) not subdomain of zone tm-azurefd.net -- invalid response
>> named[3441]: FORMERR resolving 'mr-b01.tm-azurefd.net/HTTPS/IN': 150.171.10.240#53
>>
>> and again the only way I have found of getting rid of these messages
>> (because they're swamping other log messages) is to send category
>> default to null.
>>
>> Any better way of getting rid of such REFUSED and FORMERR logging?
>>
>> Steinar Haug, AS2116
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.