The nameservers for members.nmar.com are broken. They are returning 2 CNAME records when only 1 is allowed. The are also returning a referral to the root servers.
Referrals to the root servers after following CNAMEs are supposed to have gone the way of the dodo. Multiple CNAMEs have never been allowed. Just because Google accepts broken responses, it doesn’t make them correct. Mark % dig members.nmar.com +norec @ns2.hover.com ; <<>> DiG 9.19.20-dev <<>> members.nmar.com +norec @ns2.hover.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51358 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;members.nmar.com. IN A ;; ANSWER SECTION: members.nmar.com. 900 IN CNAME public.west.us.memberzone.org. members.nmar.com. 900 IN CNAME public.east.us.memberzone.org. ;; AUTHORITY SECTION: . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. ;; Query time: 219 msec ;; SERVER: 64.98.148.13#53(ns2.hover.com) (UDP) ;; WHEN: Thu Feb 01 16:35:45 AEDT 2024 ;; MSG SIZE rcvd: 314 % > On 1 Feb 2024, at 16:27, Scott Richardson <sc...@bullittcomm.com> wrote: > > Hello, > > -I have been troubleshooting a format error in BIND 9 for about a week at > this point. > > -The symptoms: > > -I am unable to resolve members.nmar.com. > > -The nslookup output from a client to OUR private recursive DNS server is as > follows: > >> members.nmar.com > Server: [100.101.0.10] > Address: 100.101.0.10 > > *** [100.101.0.10] can't find members.nmar.com: Server failed > > -Our DNS server log output follows: > > Jan 26 13:48:00 dns1 named[1609]: FORMERR resolving 'members.nmar.com/A/IN': > 216.40.47.26#53 > Jan 26 13:48:00 dns1 named[1609]: FORMERR resolving 'members.nmar.com/A/IN': > 64.98.148.13#53 > > -It works with Cloudfare and Goole however: > >> server 8.8.8.8 > Default Server: dns.google > Address: 8.8.8.8 > >> members.nmar.com > Server: dns.google > Address: 8.8.8.8 > > Non-authoritative answer: > Name: public.west.us.memberzone.org > Address: 172.170.249.2 > Aliases: members.nmar.com > > -If I dig this from one of our other server it fails as well unless I add the > +norec option which DOES work. > > -If I perform an nslookup to their authoritative DNS servers I get a referral > to the root name server list: > > Server: ns1.hover.com > Address: 216.40.47.26 > > Name: nmar.com > Address: 20.25.91.29 > >> members.nmar.com > Server: ns1.hover.com > Address: 216.40.47.26 > > Non-authoritative answer: > Non-authoritative answer: > Name: members.nmar.com > Served by: > - a.root-servers.net > > > - b.root-servers.net > > > - c.root-servers.net > > > - d.root-servers.net > > > - e.root-servers.net > > > - f.root-servers.net > > > - g.root-servers.net > > > - h.root-servers.net > > > - i.root-servers.net > > > - j.root-servers.net > > -I am not sure if this is an issue with us or them or I need to adjust my > configuration somehow to accommodate a problem on their server. I am not > sure why other DNS is working but ours is failing. > > -This is tested with our server firewall disabled. > > -I have disabled firewall rules within our network to confirm NO firewall > issues are causing this. > > -I have checked the DNS with our upstream and they are resolving this url > correctly; therefore I don't suspect firewall issues within their network. > > -We are not using IPV6 at all at this time. > > -This is occurring with both of our redundant DNS servers and I fired up a > test server with Bind 9.16 and it is giving me the same result. > > -Any thoughts or suggestions would be very helpful and much appreciated! > > Regards, > > > Scott > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
