BIND recursive not resolving some domains

Question

I have a recursive caching BIND/named setup and it does not want to resolve some domains. I see those errors in logfile:

Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns0.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/AAAA'
Dec 22 11:53:02 router2.lan named[301]: SERVFAIL unexpected RCODE resolving 'www.sawmill.net/A/IN': 63.249.66.124#53
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns0.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/A'
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns1.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/A'
Dec 22 11:53:02 router2.lan named[301]: SERVFAIL unexpected RCODE resolving 'www.sawmill.net/AAAA/IN': 63.249.66.124#53
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns0.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/AAAA'
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns1.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/AAAA'

(that domain is not mine)
Google's 8.8.8.8 resolves this domain properly

Here's my named.conf

options {
    directory "/var/named";
    pid-file "/run/named/named.pid";

    listen-on-v6 { any; };

    dnssec-validation auto;
    auth-nxdomain no;
    allow-query {
        any;
    };

    recursion yes;
    allow-recursion {
        any;
    };
    allow-transfer { none; };
    allow-update { none; };


    version none;
    hostname none;
    server-id none;

    max-cache-size 16M;
    max-ncache-ttl 3600;
};

And BIND version:
BIND 9.11.0-P1

Does anyone know why is that happening?

By the way, the server is firewalled so no harm in allowing recursion from all sources.

score 2 · Accepted Answer · edited Oct 07 '21 at 07:59

The key to the problem is these two messages:

Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns0.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/A'
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns1.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/A'

BIND is very strict about enforcing the RFC 1034 stipulation that NS records "should always" point at a primary name and not an alias. Some nameserver software may choose to work around the brain damage, but they should be considered the exception and not the rule.

BIND will initially chase the glue records served up by the net. TLD, but when it's time to refresh the NS records they will be evicted from cache when the CNAME is encountered.

As a side note, these sawmill.net nameservers are terrible in general. NS records pointing at CNAME aliases, NS records that are missing from the glue, four NS records which duplicate IPs and only really point at two, one nameserver returning an unexpected rcode, and adjacent IP addresses which ignore BCP 16. Sheesh.

Thank you, that makes sense. Is there a way to turn off/patch BIND so it does not enforce, or do I have to use another DNS resolver software? — FHR, Dec 22 '16 at 18:38
I've never seen an option to disable this behavior, so you will either need to modify the source or use different software. Frankly I would complain to the domain owners. They've broken their own configuration and it's not the internet's responsibility to fix it for them. — Andrew B, Dec 22 '16 at 18:39

BIND recursive not resolving some domains

1 Answers1