While helping to diagnose name resolution issues on a Windows Domain, I
discovered that Microsoft DNS Server (version 1DB10106 (6.1 build 7601))
responds to requests from the BIND DIG
tool (version 9.11) with response code 1
FORMERR (Request format
error). This post discusses why and a workaround.
First, an example request and response, to clarify the issue:
; <<>> DiG 9.11.0 <<>> kevinlocke.name @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 59675 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 808a22be618a7750 (echoed) ;; QUESTION SECTION: ;kevinlocke.name. IN A ;; Query time: 62 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jan 20 17:24:10 Mountain Daylight Time 2017 ;; MSG SIZE rcvd: 51
kevinlocke.name and received
FORMERR. After some trial and
error, I determined that the issue results from DIG 9.11 sending the DNS
COOKIE option. This option was enabled
by default in BIND
Unfortunately, adding this option causes DNS Server to treat the request as
malformed. This behavior appears to violate “Any OPTION-CODE values not
understood by a responder or requestor MUST be ignored.” from Section 6.1.2
of RFC 6891, but that is
of small consolation for a non-working system.
As a workaround, pass the
+nocookie option (or
+noedns to disable all EDNS
options) as in
dig +nocookie kevinlocke.name.