Additionally, recursive server cache NXDOMAIN responses, so the order of queries can make it appear that records that exist don’t.
[ant:~/git/bind9] marka% dig mx.l3harris.com ;; BADCOOKIE, retrying. ; <<>> DiG 9.21.0-dev <<>> mx.l3harris.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53261 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 370061f19184677a0100000066b1655c894a0c198fe60ecd (good) ;; QUESTION SECTION: ;mx.l3harris.com. IN A ;; ANSWER SECTION: mx.l3harris.com. 30 IN A 128.170.196.41 ;; Query time: 627 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Tue Aug 06 09:50:52 AEST 2024 ;; MSG SIZE rcvd: 88 [ant:~/git/bind9] marka% dig mx.l3harris.com mx ;; BADCOOKIE, retrying. ; <<>> DiG 9.21.0-dev <<>> mx.l3harris.com mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29621 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 666df07b66a2e67f0100000066b1656251072aebdea4b3c4 (good) ;; QUESTION SECTION: ;mx.l3harris.com. IN MX ;; AUTHORITY SECTION: l3harris.com. 900 IN SOA mlb-ib-gm.net.harris.com. dnsadmin.harris.com. 175 10800 3600 2419200 900 ;; Query time: 399 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Tue Aug 06 09:50:58 AEST 2024 ;; MSG SIZE rcvd: 138 [ant:~/git/bind9] marka% dig mx.l3harris.com aaaa ;; BADCOOKIE, retrying. ; <<>> DiG 9.21.0-dev <<>> mx.l3harris.com aaaa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43591 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 174cffd3bd9a5d890100000066b1656785da617fff2368bc (good) ;; QUESTION SECTION: ;mx.l3harris.com. IN AAAA ;; AUTHORITY SECTION: l3harris.com. 895 IN SOA mlb-ib-gm.net.harris.com. dnsadmin.harris.com. 175 10800 3600 2419200 900 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Tue Aug 06 09:51:03 AEST 2024 ;; MSG SIZE rcvd: 138 [ant:~/git/bind9] marka% dig mx.l3harris.com a ;; BADCOOKIE, retrying. ; <<>> DiG 9.21.0-dev <<>> mx.l3harris.com a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 401 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 28837517d952cd9b0100000066b1656b2a4600fd1f942ac8 (good) ;; QUESTION SECTION: ;mx.l3harris.com. IN A ;; AUTHORITY SECTION: l3harris.com. 891 IN SOA mlb-ib-gm.net.harris.com. dnsadmin.harris.com. 175 10800 3600 2419200 900 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Tue Aug 06 09:51:07 AEST 2024 ;; MSG SIZE rcvd: 138 [ant:~/git/bind9] marka% > On 6 Aug 2024, at 08:35, Robert L Mathews <[email protected]> wrote: > >> On Aug 5, 2024, at 3:25 PM, Patrick Mevzek <[email protected]> wrote: >> >> `NXDOMAIN` means the name does not exist, no matter which type. > > That's super helpful, and the dnsviz.net report should be enough that I can > convince them they're doing it wrong. Thanks! > > -- > Robert L Mathews > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
