4

I have two DNS resolvers in /etc/resolv.conf file. The top one is Windows DNS server, and the bottom one is my wi-fi router. Please see below. nameserver 192.168.1.126 nameserver 192.168.1.1

In Windows DNS server, the sole "Forward Lookup Zone" is biman.net

When I query for host in the zone (biman.net) the Windows DNS server works fine-- either it returns the IP or NXDOMAIN. But when I query for anything for non-existing zone it returns SERVFAIL. But the wifi router returns NXDOMAIN even when zone name is bogus.

How can I get NXDOMAIN response from Windows DNS server when zone does not exist?

Below are the queries and the responses.

root@VDIkali:~# nslookup -q=A kali2.biman.net Server: 192.168.1.126 Address: 192.168.1.126#53

Name: kali2.biman.net Address: 192.168.1.122

root@VDIkali:~# nslookup -q=A NOHOST.biman.net Server: 192.168.1.126 Address: 192.168.1.126#53

** server can't find NOHOST.biman.net: NXDOMAIN

root@VDIkali:~# nslookup -q=A kali2.NONEXTING.net ;; Got SERVFAIL reply from 192.168.1.126, trying next server Server: 192.168.1.1 Address: 192.168.1.1#53

** server can't find kali2.NONEXTING.net: NXDOMAIN

Improve this question
5
  • have either. net or notexisting.net as domain running? can you upload a screen shot.? Commented Feb 2, 2020 at 15:48
  • NONEXiSTING.net domain does not exist. biman.net domain exists. Kali2 host exists in biman.net domain Commented Feb 3, 2020 at 22:25
  • I got another question related to DNS again. was analysing my DNS traffic using tcpdump (not verbose mode) in a AIX client. I found that a lot of repeat of transaction IDs over matter of hours, and even for different query (see the evidence below. Is it expected? 19:30:06.039765 IP 172.18.140.80.43852 > 172.28.3.40.53: 56554+ AAAA? 172.18.140.80.sg.uobnet.com. (45) 19:30:06.040741 IP 172.28.3.40.53 > 172.18.140.80.43852: 56554 NXDomain* 0/1/0 (110) 19:30:06.644668 IP 172.18.140.80.43873 > 172.28.3.40.53: 56554+ AAAA? DMPCUSG01. (27) 19:30:06.645465 IP 172.28.3.40.53 > Commented Feb 4, 2020 at 1:00
  • And one more evidence where transaction ID repeats over an hour : 19:20:00.768582 IP 172.18.140.80.43432 > 172.28.3.40.53: 62969+ AAAA? DMPCUSG01. (27) 19:20:00.769278 IP 172.28.3.40.53 > 172.18.140.80.43432: 62969 ServFail 0/0/0 (27) 19:20:00.769344 IP 172.18.140.80.43433 > 172.18.3.40.53: 62969+ AAAA? DMPCUSG01. (27) 19:20:00.769775 IP 172.18.3.40.53 > 172.18.140.80.43433: 62969 ServFail 0/0/0 (27) 20:30:01.433471 IP 172.18.140.80.46031 > 172.28.3.40.53: 62969+ AAAA? DMPCUSG01. (27) Commented Feb 4, 2020 at 1:02
  • if your intention is to resolve names of biman.net as well as external domain names, the proper setup is to have forwarder configured on your Windows DNS, use it as your only resolver instead of having 2 resolvers. Commented Feb 23, 2024 at 16:07

1 Answer 1

Reset to default
0

You get SERVFAIL for non-existing names, if the DNS server is configured to be able to resolve the name, but it actually cannot do it. Two example scenarios:

  1. Your Windows DNS server is online: Make sure that the server can reach its root DNS servers, so they can serve NXDOMAIN for non-existing names. Otherwise your server would serve SERVFAIL for all names it does not serve itself.

  2. Your Windows DNS server is air-gapped: Make sure to remove all root servers, as it won't reach them anyway. Add your own (probably empty) root DNS zone named . (yes, just the dot). Then your Windows DNS server will return NXDOMAIN for all names it does not know.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.