[dnsdist] dnsdist vs. Windows DNS (+noedns or +nocookie)

Bit World Computing e.K. - Michael Mertel michael.mertel at bwc.de
Thu Jul 23 08:12:51 UTC 2020

Hi Phil,

my fault, the windows admin told me it is a W2K8R2, I wasn’t able to verify it myself with my own test instance of W2K12R2.

I’ve tried the mentioned functions/parameters already, but no luck so far. I spoofed the needed response in the meantime.

Best regards.


> Am 23.07.2020 um 00:42 schrieb Phillip R. Jaenke <prj at rootwyrm.com>:
> On 7/17/2020 9:53 AM, Bit World Computing e.K. - Michael Mertel via
> dnsdist wrote:
>> Hi,
>> at one site there are Windows 2012 (?) DNS servers for internal domains, and whenever I try to dig some records or have dnsdist use them as upstream servers I’am getting a FORMERR.
>> I don’t have a chance to get this fixed on Windows side and don’t wanna intervene to avoid trouble with the Windows admins.
>> To get some results with dig I could use either +noedns or +nocookie, but is there a way to inject these kind of options in the request from dnsdist to the Windows DNS?
> That's actually rather surprising to me that you're seeing that; I have
> Windows 2k19 upstream here (functional 2k12R2) and I can't reproduce. It
> sounds like they may be legitimately broken - or more likely have some
> sort of broken load-balancer out front.
> You can use DisableECSAction() / dq.useECS to disable ECS globally, but
> that's probably not what you're looking for. Have you tried adding
> 'useClientSubnet=false' to the newServers() entry for the AD DNS pool?
> -Phil

More information about the dnsdist mailing list