FORMERR resolving

[root]

Hello Chris,

thank you once again for the help you provide me!

> FORMERR means "FORMat ERRor", meaning that the request received by the
> other server was either not recognized or completely invalid. This is
> why I suggested some firewall was mangling your requests. For example,
> it could be that the firewall is misbehaving when your server sends an
> EDNS-enabled request. This part of the question should go back to the
> list for more assistance.

Ok, thanks to your hint, I solved the problem!
Indeed, it was a firewall, that made the disturbance. But it turned out that
it was not the fault of my local firewall in my network over here, but the
firewall of a remote network...

For anybody who is interested:
I have two Endian Firewalls, which are functioning as gateways/firewalls in
two geographically separated networks. Each of the networks has it's own
DHCP. Last week I had permanently linked the two networks via VPN.
Unfortunately I had forgotten to activate the DHCP-filter on one of the two
Endian Firewalls, resulting in the unwanted situation, of having two
DHCP-servers in one network, each of them claiming of being the
authoritative one (=the primary). The result was, that the DHCP queries of
my network over here (the one with the DNS having all that FORMERRs), where
answered by the DHCP server of the remote network, which has quite different
DNS/gateway settings than the one over here. Further all the traffic from
here was sent over to the other gateway so that it left towards the internet
from there, instead to leave directly from over here.
As soon as I activated the DHCP-filter between both VPN-linked networks, the
clients over here use the local DHCP-server, which has the correct
DNS/gateway settings. Since then I have no more FORMERR anymore...
 
> Regarding forwarding, you don't need to forward at all. Forwarding
> means that your server sends a recursive query to another server.
> Without forwarding, your server sends iterative queries, which might
> be answered by a referral to another server. Your server should be
> perfectly capable of following up, resending the query to the server
> (or servers) listed in the referral. This process is called recursive
> resolution.
> 
> If you remove the options "forward" and "forwarders" and just list the
> root hint zone, and also if you have no zones of type forward, then
> your server will not forward. Instead, it will do the heavy lifting,
> the recursive resolution. This is usually better and more reliable.

I understood. I deactivated the "forwarders:...." section in my named.conf.
Thank you for this advice!

Best regards and thank you very much!
Tom