[dns-operations] NXDOMAIN plus CNAME answer - works sometimes!?

Matthew Richardson matthew-l at itconsult.co.uk
Thu Mar 22 13:49:35 UTC 2018

I have been troubleshooting an issue, the initial symptoms were two Windows
2008 R2 DNS servers (using root hints) caching and returning NX domains for
www.cgma.org & portal.cgma.org.  Running Wireshark on one of these with a
cleared cache, clearly shows ns7.markmonitor.com providing returning a
packet containing NXDOMAIN flags but with a CNAME answer.

Then using dig, one sees very similar:-

>; <<>> DiG 9.11.2-P1 <<>> @ns7.markmonitor.com portal.cgma.org +norec
>; (1 server found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20219
>;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>; EDNS: version: 0, flags:; udp: 1680
>;portal.cgma.org.               IN      A
>portal.cgma.org.        86400   IN      CNAME   portal-cgma-332539813.us-east-1.elb.amazonaws.com.
>com.                    86400   IN      SOA     ns1.markmonitor.com. hostmaster.markmonitor.com. 2018012501 86400 3600 2592000 172800
>;; Query time: 30 msec
>;; WHEN: Thu Mar 22 13:42:04 GMT 2018
>;; MSG SIZE  rcvd: 170

albeit with a somewhat weird-looking authority section.

However, when capturing packets on a recursive Bind server, one also sees
the same response (NXDOMAIN flag with CNAME answer) but Bind goes on to
resolve the CNAME and return the answer.

If anything, its working on Bind is more puzzling than its not working on

Just to ensure that I am not being an idiot (I am doubting myself), is
there any way that that answer could be correct/valid?  Also, does anyone
have any clues as to what might cause such answers?  Is anyone from
MarkMonitor here who might shed some light?

Best wishes,

(a long-time lurker on this list)

More information about the dns-operations mailing list