Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral
Bjørn Mork
bjorn at mork.no
Fri May 6 06:19:18 UTC 2022
Mark Andrews <marka at isc.org> writes:
> It’s a long known issue with so called “Transparent” DNS
> proxies/accelerators/firewalls. Iterative resolvers expect to talk to
> authoritative servers. They ask questions differently to the way they
> do when they talk to a recursive server. Answers from different
> levels of the DNS hierarchy for the same question are different. If
> you just cache and return the previous answer you break iterative
> lookups. The answers from recursive servers are different to those
> from authoritative servers.
>
> You get the same sort of problem in many hotels if you have an
> iterative resolver on your portable devices. Switching named to use a
> public recursive server that supports DNSSEC in forward only mode
> helps sometimes. It really depends on what the middleware is doing.
How about configuring forwarder(s) if you have to operate a resolver in
such an environment? Hoping that the answer from the intercepting
server isn't too different from what you'd expect from a forwarder.
Bjørn
More information about the bind-users
mailing list