bind9 Numerous recent - error (FORMERR) resolving 'dns3.registrar-servers.com/AAAA/IN'

[David C. Rankin]

All,

I have run bind8 and bind9 for the past 15 years beginning on Mandrake before
it went corporate and tanked. Over the past few weeks to a month or so, my logs
have been filling with (FORMERR) messages like:

May 26 16:44:24 nirvana named[23136]: DNS format error from 208.67.222.222#53
resolving dns3.registrar-servers.com/AAAA: invalid response
May 26 16:44:24 nirvana named[23136]: error (FORMERR) resolving
'dns3.registrar-servers.com/AAAA/IN': 208.67.222.222#53
May 26 16:44:24 nirvana named[23136]: DNS format error from 208.67.222.222#53
resolving dns4.registrar-servers.com/AAAA: invalid response
May 26 16:44:24 nirvana named[23136]: error (FORMERR) resolving
'dns4.registrar-servers.com/AAAA/IN': 208.67.222.222#53
May 26 16:44:24 nirvana named[23136]: DNS format error from 208.67.222.222#53
resolving dns2.registrar-servers.com/AAAA: invalid response
May 26 16:44:24 nirvana named[23136]: error (FORMERR) resolving
'dns2.registrar-servers.com/AAAA/IN': 208.67.222.222#53
May 26 16:44:24 nirvana named[23136]: DNS format error from 208.67.220.220#53
resolving dns3.registrar-servers.com/AAAA: invalid response
May 26 16:44:24 nirvana named[23136]: error (FORMERR) resolving
'dns3.registrar-servers.com/AAAA/IN': 208.67.220.220#53
May 26 16:44:24 nirvana named[23136]: DNS format error from 208.67.220.220#53
resolving dns4.registrar-servers.com/AAAA: invalid response
May 26 16:44:24 nirvana named[23136]: error (FORMERR) resolving
'dns4.registrar-servers.com/AAAA/IN': 208.67.220.220#53
May 26 16:44:24 nirvana named[23136]: DNS format error from 208.67.220.220#53
resolving dns2.registrar-servers.com/AAAA: invalid response
May 26 16:44:24 nirvana named[23136]: error (FORMERR) resolving
'dns2.registrar-servers.com/AAAA/IN': 208.67.220.220#53

I'm not sure what to make of it. Is there something that has changed
requiring an update on my end, or is this just an issue with the remote? I have
an older bind 9.9.1 running.

--
David C. Rankin, J.D.,P.E.

[Mark Andrews]

Well 208.67.220.220 returns the wrong SOA record which is why you
are getting the message. For that matter why are you talking to
208.67.220.220 in the first place? It is not normally involved in
resolving dns2.registrar-servers.com.

registrar-servers.com. 2898 IN NS dns1.name-services.com.
registrar-servers.com. 2898 IN NS dns3.name-services.com.
registrar-servers.com. 2898 IN NS dns4.name-services.com.
registrar-servers.com. 2898 IN NS dns5.name-services.com.
registrar-servers.com. 2898 IN NS dns2.name-services.com.

;; ADDITIONAL SECTION:
dns4.name-services.com. 7 IN A 98.124.194.1
dns3.name-services.com. 7 IN A 98.124.193.1
dns5.name-services.com. 7 IN A 98.124.196.1
dns2.name-services.com. 7 IN A 98.124.197.1
dns1.name-services.com. 6 IN A 98.124.192.1

; <<>> DiG 9.11.0pre-alpha <<>> dns2.registrar-servers.com aaaa @208.67.220.220
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41549
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dns2.registrar-servers.com. IN AAAA

;; AUTHORITY SECTION:
. 1434 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015052601 1800 900 604800 86400

;; Query time: 19 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Wed May 27 08:24:35 EST 2015
;; MSG SIZE rcvd: 130

> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscrib
> e from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

[David C. Rankin]

On 05/26/2015 05:31 PM, Mark Andrews wrote:
> Well 208.67.220.220 returns the wrong SOA record which is why you
> are getting the message. For that matter why are you talking to
> 208.67.220.220 in the first place? It is not normally involved in
> resolving dns2.registrar-servers.com.
>

Mark,

Thank you. If I recall correctly, 208.67.220.220 was a DNS that came from a
test of list of public DNS IPs several years ago using dig to test 'Query times'
in a script that parsed and computed min, max and avg, and produced a sorted
list. That particular IP ended up in my forwarders list which is the reason
behind the errors.

Checking recent publication of the public DNS server lists, the opendns
address of 208.67.220.220 is no longer listed. (sigh...) The current best
performers (throwing out the nonworking and china based IPs) from:

http://portforward.com/networking/dns.htm
http://public-dns.tk/nameserver/us.html

with response times between 38-48 msec, seem to be:

204.97.212.10
173.232.2.245
4.2.2.6
173.232.2.249
173.232.2.236
68.87.66.196
204.11.64.239

Let's hope this list stays working for another few years.

[Reindl Harald]

Am 28.05.2015 um 06:26 schrieb David C. Rankin:
> On 05/26/2015 05:31 PM, Mark Andrews wrote:
>> Well 208.67.220.220 returns the wrong SOA record which is why you
>> are getting the message. For that matter why are you talking to
>> 208.67.220.220 in the first place? It is not normally involved in
>> resolving dns2.registrar-servers.com.
>>

> Thank you. If I recall correctly, 208.67.220.220 was a DNS that came
> from a test of list of public DNS IPs several years ago using dig to
> test 'Query times' in a script that parsed and computed min, max and
> avg, and produced a sorted list. That particular IP ended up in my
> forwarders list which is the reason behind the errors.
>
> Checking recent publication of the public DNS server lists, the
> opendns address of 208.67.220.220 is no longer listed. (sigh...) The
> current best performers

just don't use forwarders, do recursion at your own