Negative Name Server Response

There is a NS request to a third party site that we work with from my Internet Forwarder that's asking for a NS resource record. The name does not exist with their domain. So a negative response is sent back to my forwarder and then to our internal DNS server. THE SOA response is cached within the domain record for that site. During this time, their is an A record that also has a negative cache (its doesn't exist within the domain record) that normally is there, but it only appears back in the cached domain , when the SOA TTL expires. First the NS request for that name server which doesn't exist, I'm not sure why my Forwarder is even making that request? Is it possible that someone within our network could be generating this request. Or is this the way negative caching should work. The bottom line is when the SOA appears some of our internal customer can't which this site. The third party tells me that the A record for that site is in their DNS system, but that they see a NS request that is exact in syntax to the A record in question.

Hopefully , this makes sense....

This is sort of hard to follow so forgive me if I completely misunderstand you. Are you able to provide the domain in question?

A request for a domain (just a basic request) sends out queries and an A record and NS records are returned (NS in the Auth section). You should only be getting negative data if the domain doesn't actually exist or the domain being queried has a configuration problem. SOA records are returned with negative answers to help you troubleshoot (has the auth server in it as well as an email address....rather it should have that). Assuming the domain exists, whoever owns the domain having issues probably has something misconfigured is the bottom line. That's generally how it goes with DNS. If you can provide the domain having issues, I can take a look at it.

The domain name can't be released for this discussion, but the concept is what I'm after. You did follow me correctly. The A record definitely exist, because this problem is intermittent, it only occurs when the SOA record appears. I think our A record TTL expires and then during this time a NS request is made for a server that doesn't exist within that domain. The negative response is sent back to us with the SOA and NS section applied as you said. Until the SOA expire any new request for a valid A record that is not cached is treated as NXDOMAIN.

The request for a NS from my forwarder which doesn't exist within their domain is puzzling me. I'm not sure why that occurs.

Ncache ttl is usually determined by a few things (If I remember correctly ). You can have the minimum ncache ttl option statement, the minimum field in the soa (if no soa ttl is stated) or when the SOA itself expires. The SOA TTL can be set manually, be set from the default $TTL in the configuration or set from the minimum field if those other 2 are missing.

As far as a non slave server for the domain(pretty much everything on the internet), the SOA sort of doesn't mean anything. You can consider it informational only. Yes it determines ncache (to an extent) but that's about it. The fact you are getting negative responses is probably still due to some error on their side.

The request for name servers can happen for a few reasons. I'll try to explain one of the more common things I see that sort of sounds similar:

In this assumption, we'll say the domain has unresolvable/incorrect name servers. During a recursive lookup, you will get your fancy A record and the hostnames of the name server. Let's keep it simple and say the A record has a TTL of 60 and the NS' have a TTL of 3600. All is well accessing that domain for the first 60 seconds. After that is where the trouble can start. After 60 seconds you now have the hostnames of that domain cached but nothing else. Let's say a new query comes in for that domains A record. Since you have their Nameservers cached, the DNS server will use those to send the queries directly (avoid a recursive lookup). So the first thing it does is resolve the nameservers hostnames for the domain in question. If the resolution of those names come back as NXDOMAIN, you get a servfail on the lookup. What can be worse is if they resolve to, let's say, and old DNS providers authoritative servers. That DNS provider will more than likely return NXDOMAIN for the domain, thus ruining your lookup branding it as NXDOMAIN. After the ncache of that expires, you do a recursive lookup and you're good for another 60 seconds. Rinse and repeat.


Short story is, having bad or incorrect NS records will generally result in intermittent problems. Make sure their name servers are resolvable and queries to both (or however many) come back with the right info.

Our failure occurs when an "A" record and this is an example only with name.example.com syntax. But a NS request is made for name.example.com get's a negative response and caches a SOA based on the negative response to the cached domain on our DNS servers. The correct A record for named.example.com has time-out and as long as the SOA is there we can't request a new A record for the valid name.example.com "A" record.

Yeah an NXDOMAIN response is cached for that whole domain. There are no NXDOMAIN responses for individual records. Since the domain is cached as nonexistent, nothing else will be queried for it until the ncache expires. The thought process on that is, "why bother trying any more queries or any other records if the domain doesn't exist".

You should only get an NXDOMAIN response back if the domain as a whole doesn't exist. It should only be caused by the domain legitimately not existing. If the domain/hostname is valid, any queries for nonexistent records should get a NOERROR response without an answer section (and an SOA in the auth). If you get an NXDOMAIN response back when you query only a specific record for a valid domain, the server hosting that data is not responding correctly. As for what's sending the NS queries, it could be a program or just the server itself needing the records. That doesn't matter what is sending the queries because a simple query for an rrset should not break the other records you will end up caching locally. Of course that is in theory.

So if you are getting negative responses for a valid domains NS records, that server hosting it is probably not configured correctly or they are running some software that is not responding to queries appropriately. It could very well be something really obscure but that would be hard to tell without the domain name to test.

The domain is valid , but the NS record that is being requested doesn't exist, so from that perceptive the answers is correct. But its locks the domain down until the negative cache times out. That why I was wondering were that original request came from. But I see now that what I thought is actually happening. The request for the non-existing NS resource record shouldn't be sending that type of response. I know that there our 4 types I think the type 2 is what should be sent.

Right, it should be sending back a NOERROR classed response with no actual answer in it. As soon as it responds NXDOMAIN, that authoritative server is telling you the domain AS A WHOLE does not exist. Which your server in turn caches for a predetermined time.

You have NOERROR, NXDOMAIN, SERVFAIL, REFUSED, FORMER and NOTIMP for the possible responses.

I read the sniffer trace incorrectly, the NS request for a name server that doesn't exist, is actually sending back reply code of 3 "No such Name". Which is correct because the NS resource record for the name requested doesnt exist. I thought it was referencing the domain that I was caching DNS A and MX records. But the SOA is still cahed an everytime this response happens when loss the A record for which is the same name as the NS request. After the negative response with SOA TTL expires , which is 1 hour then I can request a A record and everything is OK. So I still need help, why is this response for a NS server that doesnt exist, but has the same name as the A record that I'm concerned about is causing this failure.

Jeff

Example


Request NS Record for test.domain.com

cache A record for web portal = test.domain.com (this site does exist)

When negative response for NS is cached by my DNS servers. A record for test.domain.com goes away for TTL of 1 hour. Then A record is OK??????