Looking for Information on NXDOMAIN responses for certain recursive queries?  We've got your back!  Please let us know if this article was helpful or resolved your issue!

Problem Summary

 Intermittently NXDOMAIN responses are received for certain recursive queries. The queries resolves correctly once and then NXDOMAIN response is received for subsequent queries.

Customer Environment

Infoblox Grid running DNS service with RPZ enabled

Versions

 All versions of NIOS

Cause

Name server verification is a part of the RPZ processing of queries. When a query hits infoblox DNS server, along with resolving the query, Infoblox tries to resolve the NS record for the query and the Glue record for the NS record. If the NS record query returns an NXDOMAIN response, the response is cached as below.

Example query: loader.sis.tv

A record query

sandeep@x:~$ dig @10.192.32.40 loader.sis.tv

; <<>> DiG 9.9.5-11ubuntu1.3-Ubuntu <<>> @10.192.32.40 loader.sis.tv
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39780
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;loader.sis.tv. IN A

;; ANSWER SECTION:
loader.sis.tv. 29 IN A 93.174.217.44

;; Query time: 485 msec
;; SERVER: 10.192.32.40#53(10.192.32.40)
;; WHEN: Thu Mar 24 00:18:49 IST 2016
;; MSG SIZE rcvd: 58

NS record query

sandeep@x:~$ dig @10.192.32.40 loader.sis.tv ns

; <<>> DiG 9.9.5-11ubuntu1.3-Ubuntu <<>> @10.192.32.40 loader.sis.tv ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61855
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;loader.sis.tv. IN NS

;; AUTHORITY SECTION:
sis.tv. 1799 IN SOA ns5.sis.tv. hostmaster.sis.tv. 2016032101 10800 1800 864000 10800

;; Query time: 393 msec
;; SERVER: 10.192.32.40#53(10.192.32.40)
;; WHEN: Thu Mar 24 00:22:58 IST 2016
;; MSG SIZE rcvd: 93

Cache entry

; answer
loader.sis.tv. 1791 IN \-ANY ;-$NXDOMAIN
; sis.tv. SOA ns5.sis.tv. hostmaster.sis.tv. 2016032101 10800 1800 864000 10800b

Ideally, the response that should have been received from the upstream server was NXRRSET when the A record exists but the NS record does not exist. NXRRSET is a response where the RCODE is "No Error" but there are no answer RRs. However, it is seen that there are some internet name servers that provide NXDOMAIN response as seen above.

An NXRRSET response means that a resource record that ought to exist does not exist. Hence this is the correct response when the exact RR queried does not exist but another RR exists with the same domain name.

An NXDOMAIN response means that the domain does not exist. This implies that there are no records for the domain name.

Hence NXDOMAIN is cached for ANY records for the domain name.

Resolution

NIOS provides the option to disable NSDNAME and NSIP rules for RPZ zones. This is discussed in the section "Disabling NSDNAME and NSIP rules for RPZ zones" in the NIOS Administrator Guide.

Workaround: Another workaround that can be done for specific queries, is creating a Forward zone pointing to the Authoritative name server for the domain or an internet name server that can resolve the A record for the domain. When this is done, the NXDOMAIN for the NS record is not cached and hence resolution is uninterrupted