Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral

[Reindl Harald]

Am 06.05.22 um 08:19 schrieb Bjørn Mork:
> Mark Andrews <marka at isc.org> writes:
> 
>> It’s a long known issue with so called “Transparent” DNS
>> proxies/accelerators/firewalls.  Iterative resolvers expect to talk to
>> authoritative servers.  They ask questions differently to the way they
>> do when they talk to a recursive server.  Answers from different
>> levels of the DNS hierarchy for the same question are different.  If
>> you just cache and return the previous answer you break iterative
>> lookups.  The answers from recursive servers are different to those
>> from authoritative servers.
>>
>> You get the same sort of problem in many hotels if you have an
>> iterative resolver on your portable devices.  Switching named to use a
>> public recursive server that supports DNSSEC in forward only mode
>> helps sometimes.  It really depends on what the middleware is doing.
> 
> How about configuring forwarder(s) if you have to operate a resolver in
> such an environment?  Hoping that the answer from the intercepting
> server isn't too different from what you'd expect from a forwarder

the problem is that this middleware crap operates on the protocol level

in the past our CISCO ISP router with "DNS ALG" even rewrote zone 
transfers and invented a zero TTL for each and every CNAME it saw

means our secondary nameserver hat completly different zone files than 
the master

you don't expect that and watch a zone transfer on both ends with 
wireshark solved that riddle

so from the moment on some device thinking it's smart about DNS you are lost