We have a service vendor with broken DNS. It looks like a well known problem of F5 load balancers. For the name,
efederation.wip.ceridian.com (you get redirected there from https://iam.ceridian.com) The DNS "servers" return an answer for a A request, but when you ask for any other record type, they send a name-does-not-exist status, "NXDOMAIN." Once our caching BIND servers get the NXDOMAIN response, the A record info doesn't matter anymore. They return NXDOMAIN for a A record query too. Yes, yes, I know the Right Answer is to get the vendor to fix their load balancer. But we get the "it works when we're at home," "it works with Google/Cloudflare DNS," "it works on my phone when I use mobile data," so our DNS server must be broken. We have to make it work while we convince the vendor to fix it. Is there any way to get BIND to work around this brokenness? Something like a way to completely turning off caching for a zone? Other ways to deal with it aside from setting up our own authoritative zone for the name? Seems like RPZ could do it in similar fashion with just a record or two. Unfortunately, we don't have an existing RPZ deployed across the enterprise so it's the same level of effort. And how can we be the only customer with this problem? Seems like anyone dual stacked (even unknowingly so) and a caching DNS server that follows the rules would be getting killed by the AAAA lookups. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users