Server Fail and a non-recursive server
James Raftery
james-bind-users at now.ie
Thu Mar 1 20:12:20 UTC 2001
On Thu, Mar 01, 2001 at 02:47:47PM -0500, Don Robertson wrote:
> It needs only be authoritive for its own zones, so we have recursion turned
> off and no 'hints' file.
[snip]
> The problem is that we keep getting requests for domains that we are not
> hosting. These requests are reoccuring and we believe this is because BIND
> answers them with a "Server Fail" rather than a "NXDOMAIN" (name error).
NXDOMAIN means something different. It means that no records of any type
exist for the name queried. Only a server authoritative for the relevant
zone, or a resolver which has contacted an authoritative server, should
return NXDOMAIN for a query.
> 1) Is there a way to configure BIND 8.2.3 so that it will be non-recursive,
> yet not return server fail responses when it gets a domain name that it
> doesn't know about, putting out NXDOMAIN instead?
Not NXDOMAIN. You're giving out SERVFAIL because your server wants to
give a referral in its response but it can't because it doesn't have a
view of the root servers. Give it the root hints file. It will respond
with a referral to the root. This is The Right Thing To Do (tm).
> 2) Do these server fail messages really cause the requesting servers to keep
> trying?
Yes.
> 3) Any idea why we keep getting requests for these domains (with illegal
> underscore characters in them)?:
Microsoft Active Directory.
james
--
James Raftery (JBR54)
"It's somewhere in the Red Hat district" -- A network engineer's
freudian slip when talking about Amsterdam's nightlife at RIPE 38.
More information about the bind-users
mailing list