BIND Workaround for Broken DNS
Crist Clark
cjc+bind-users at pumpky.net
Sat Jan 18 06:03:15 UTC 2020
We have a service vendor with broken DNS. It looks like a well known
problem of F5 load balancers. For the name,
efederation.wip.ceridian.com (you get redirected there from
https://iam.ceridian.com)
The DNS "servers" return an answer for a A request, but when you ask
for any other record type, they send a name-does-not-exist status,
"NXDOMAIN." Once our caching BIND servers get the NXDOMAIN response,
the A record info doesn't matter anymore. They return NXDOMAIN for a A
record query too.
Yes, yes, I know the Right Answer is to get the vendor to fix their
load balancer. But we get the "it works when we're at home," "it works
with Google/Cloudflare DNS," "it works on my phone when I use mobile
data," so our DNS server must be broken. We have to make it work while
we convince the vendor to fix it.
Is there any way to get BIND to work around this brokenness? Something
like a way to completely turning off caching for a zone? Other ways to
deal with it aside from setting up our own authoritative zone for the
name? Seems like RPZ could do it in similar fashion with just a record
or two. Unfortunately, we don't have an existing RPZ deployed across
the enterprise so it's the same level of effort.
And how can we be the only customer with this problem? Seems like
anyone dual stacked (even unknowingly so) and a caching DNS server
that follows the rules would be getting killed by the AAAA lookups.
More information about the bind-users
mailing list