resolver: DNS format errors

Alex mysqlstudent at gmail.com
Thu Sep 7 18:40:55 UTC 2023 

Hi,

I have a fedora38 server with bind-9.18.17 and receiving the following log
entries for virtually every query (where "mykey" is my registered spamhaus
DQS key):
07-Sep-2023 14:30:13.608 lame-servers: FORMERR resolving '
mykey.hbl.dq.spamhaus.net/NS/IN': 66.42.94.100#53
07-Sep-2023 14:30:13.625 resolver: DNS format error from 143.215.143.8#53
resolving mykey.hbl.dq.spamhaus.net/NS for <unknown>: reply has no answer
07-Sep-2023 14:30:13.625 lame-servers: FORMERR resolving '
mykey.hbl.dq.spamhaus.net/NS/IN': 143.215.143.8#53
07-Sep-2023 14:30:13.628 lame-servers: success resolving
'psnobcays3v2r52vapfv5fgvr6pgd6znvuzyhe5ktid3ty3oai4q._
file.mykey.hbl.dq.spamhaus.net/A' after disabling qname minimization due to
'failure'

07-Sep-2023 14:39:30.214 lame-servers: success resolving '
22.10.223.192.bl.spamcop.net/A' after disabling qname minimization due to
'ncache nxdomain'

For some reason my config isn't ignoring lame-servers, but it does look
relevant and related to the resolver errors.

I've tried to experiment with including "minimal responses yes;" in my
config, based on some reading about a similar issue years ago, but it
doesn't change anything. This nameserver provides DNS across a VPN link to
a remote system on a cable modem because having the server (also fedora38)
query DNS directly on a cable modem was resulting in some other weird
errors.

Any ideas greatly appreciated.

acl "trusted" {
        { 127/8; };
        { 68.195.44.40/29; };
        { 147.135.111.126; };
};
options {
        listen-on port 53 { 127.0.0.1; 147.135.111.126; };
        listen-on-v6 port 53 { none; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { trusted; };
        allow-query-cache { trusted; };
        minimal-responses yes;
        recursion yes;
        managed-keys-directory "/var/named/dynamic";
        geoip-directory "/usr/share/GeoIP";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
        include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
        channel named_debug {
                severity dynamic;
                file "/var/log/named.debug.log" versions 2 size 100m;
                print-time yes;
                print-category yes;
        };
        category default { named_debug; };
        channel query_info {
           severity info;
           file "/var/log/named.query.log" versions 3 size 5m;
           print-time yes;
           print-category yes;
         };
         category queries { query_info; };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230907/0cdac675/attachment.htm>

More information about the bind-users mailing list