Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.



Recursive DNS lookup clarification

New Member
Posts: 1
3295     0

Hi IB Community,


I am redesigning our Infoblox deployment that I inherited and has been running for more than 10 years. During the discovery, I was confused with one of the DNS resolution behaviour and wanted to clarification.




A production IB grid for internal DNS only. The grid has 3 IP addresses listed in grid DNS forwarder and all those IP belongs to Infoblox appliances.....example below


ns1abc - Have fowarders and Use Forwarders Only is Selected.

ns1xyz - Have fowarders and Use Forwarders Only is NOT Selected.

ns1mnp - Have fowarders and Use Forwarders Only is NOT Selected.


ns1abc and multiple other IB appliances are in a NS-group that is authoritative for


ns1xyz and ns1mnp and multiple other IB appliances are in another NS-group that is authoritative for


The confusion is around DNS record resolution in zone ns1abc is giving a non-authoritative response for How did that recursrive DNS lookup work when ns1abc is not in the NS-group and has external forwarders configured and when itself is listed in the Grid DNS properties as one of the Infoblox IP address?




Re: Recursive DNS lookup clarification

[ Edited ]
Posts: 81
3295     0

Hello Sneha,


Did you inspect the DNS view which served that non-authoritative response from ns1abc ? If not, take a look at ns1abc's named.conf & identify the view which is suppose to serve this request. If this specific query didn't fall into the view authoritative for & if's NS info has been registered with your provider for public avaialbility, I guess its normal recursion(As long as the serving view had recursion enabled). 


Now if you say :


  • This specific query for fell into a ns1abc's DNS view authoritative for
  • ns1abc is not a part of the authoritative NS group for
  • There's no delegation for added to ns1abc.


Then i'd say that its a violation of RFC & you'd need to sync up with Technical Support. But I'm kind of 100% sure that you'd find the reason if you take a closer look at the resolution heirarchy.


Good luck.

Re: Recursive DNS lookup clarification

Posts: 33
3296     0

The first thing that I would do in this case is test each server to see how it handles non-recursive queries for the record in question, then look for delegations/SOA for each parent domain, if needed. For me, at least, it helps make the named.conf a little more 3D so I can visualize what the configurations are doing. 


You'll need dig for this - there's a download at and Infoblox has training on how to use dig, or you can use the widget in the Dashboards.


dig +norecurse @ns1abc 

dig +norecurse @ns1xyz 

dig +norecurse @ns1mnp 


If those tests gave you name servers under the authority section and answer how the record resolves, you don't need to do the following for the test subdomain, unless you want to be thorough. The first two will be the most interesting and the last 4 should be themselves.


dig NS @ns1abc 

dig SOA@ns1abc 

dig NS @ns1xyz 

dig SOA@ns1xyz 

dig NS @ns1mnp 

dig SOA@ns1mnp 


The first two should be itself and the last 4 might be interesting.


dig NS @ns1abc 

dig SOA@ns1abc 

dig NS @ns1xyz 

dig SOA@ns1xyz 

dig NS @ns1mnp 

dig SOA@ns1mnp 


One setting you probably want to check in the GUI is under each zone's properties in the view, under the Settings tab - look at the bottom of that screen for "Don't use forwarders to resolve queries in subzones".

Showing results for 
Search instead for 
Did you mean: 

Recommended for You