[GH-ISSUE #611] Bug: Getting NXDOMAIN when not expected #199

New issue

Closed

opened 2026-02-26 04:34:22 +03:00 by kerem · 5 comments

kerem commented 2026-02-26 04:34:22 +03:00

Owner

Copy link

Originally created by @mageddo on GitHub (Nov 27, 2024).
Original GitHub issue: https://github.com/mageddo/dns-proxy-server/issues/611

Reported at #478

What is Happening

DPS solvers are forwarding the hostname query to remote solver even when the hostname exists at the dps solvers but haven´t an IP to be answered, then it causes a NXDOMAIN answer got from the remote solver or by the MG_NO_ENTRIES_RESPONSE_CODE when no remote solver could be used.

What is Expected

As explained by @aricooperdavis (ref), following the RFCs, the expected behavior would be:

• if the domain exists in any solver then that solver should handle the response.
• if a record of the requested type doesn't exist under that solver then it should return RCODE 0 ("No Error"/"NODATA").

Here are the relevant RFC standards:

• RFC 1035 states that the "Name Error" RCODE (i.e. 3, "NXDOMAIN") >"signifies that the domain name referenced in the query does not exist".
• RFC 2308 clarifies that the more appropriate RCODE would be "No Error" (i.e. 0, >"NODATA"), "which indicates that the name is valid, for the given class, but [there] are no records of the given type.".

Originally created by @mageddo on GitHub (Nov 27, 2024). Original GitHub issue: https://github.com/mageddo/dns-proxy-server/issues/611 Reported at #478 ## What is Happening DPS solvers are **forwarding** the hostname query to remote solver even when the hostname exists at the dps solvers but haven´t an IP to be answered, then it causes a NXDOMAIN answer got from the remote solver or by the `MG_NO_ENTRIES_RESPONSE_CODE` when no remote solver could be used. ## What is Expected As explained by @aricooperdavis ([ref][1]), following the RFCs, the expected behavior would be: >- if the domain exists in any solver then that solver should handle the response. >- if a record of the requested type doesn't exist under that solver then it should return RCODE 0 ("No Error"/"NODATA"). > >Here are the relevant RFC standards: > >- [RFC 1035](https://www.rfc-editor.org/rfc/rfc1035#section-4.1.1) states that the "Name Error" RCODE (i.e. 3, "NXDOMAIN") >"signifies that the domain name referenced in the query does not exist". >- [RFC 2308](https://www.rfc-editor.org/rfc/rfc2308) clarifies that the more appropriate RCODE would be "No Error" (i.e. 0, >"NODATA"), "which indicates that the name is valid, for the given class, but [there] are no records of the given type.". [1]: https://github.com/mageddo/dns-proxy-server/issues/478#issuecomment-2500986674

kerem 2026-02-26 04:34:22 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-26 04:34:22 +03:00

Author

Owner

Copy link

@cmiguelcabral commented on GitHub (Dec 19, 2025):

I already commented in the original issue, but let me give an example about what I wrote there:

With IPv6 disabled:

docker exec -it nginx nslookup artifactory.docker 172.28.0.2
Server:         172.28.0.2
Address:        172.28.0.2:53

Non-authoritative answer:
Name:   artifactory.docker
Address: 172.25.0.2

** server can't find artifactory.docker: NXDOMAIN

With IPv6 enabled:

docker exec -it nginx nslookup artifactory.docker 172.28.0.2
Server:         172.28.0.2
Address:        172.28.0.2:53

Non-authoritative answer:
Name:   artifactory.docker
Address: 172.25.0.2

Non-authoritative answer:
Name:   artifactory.docker
Address: fdd8:55dd:548c::1

It doesn't seem to be related to upstream servers as suggested because I have the same behavior with or without upstream servers configured.

<!-- gh-comment-id:3676958700 --> @cmiguelcabral commented on GitHub (Dec 19, 2025): I already commented in the original issue, but let me give an example about what I wrote there: With IPv6 disabled: ```` docker exec -it nginx nslookup artifactory.docker 172.28.0.2 Server: 172.28.0.2 Address: 172.28.0.2:53 Non-authoritative answer: Name: artifactory.docker Address: 172.25.0.2 ** server can't find artifactory.docker: NXDOMAIN ```` With IPv6 enabled: ```` docker exec -it nginx nslookup artifactory.docker 172.28.0.2 Server: 172.28.0.2 Address: 172.28.0.2:53 Non-authoritative answer: Name: artifactory.docker Address: 172.25.0.2 Non-authoritative answer: Name: artifactory.docker Address: fdd8:55dd:548c::1 ```` It doesn't seem to be related to upstream servers as suggested because I have the same behavior with or without upstream servers configured.

kerem commented 2026-02-26 04:34:22 +03:00

Author

Owner

Copy link

@mageddo commented on GitHub (Dec 19, 2025):

@cmiguelcabral

It occurs because NSLOOKUP is asking both IPV4 and IPV6 to DPS into two separate queries, as DPS has not an IPV6 to answer then it responds error code 3 (which is not expected because the hostname exists, even only with ipv4 addresses), then nslookup consider that the process has errors.

The only workaround is to stop asking IPV6 addresses to DPS

 nslookup -po=5354 -type=A  kafka.docker 127.0.0.1
Server:		127.0.0.1
Address:	127.0.0.1#5354

Non-authoritative answer:
Name:	kafka.docker
Address: 172.21.0.3

That's a simple issue to fix on DPS, hope to fix it in the next days.

<!-- gh-comment-id:3677028472 --> @mageddo commented on GitHub (Dec 19, 2025): @cmiguelcabral It occurs because NSLOOKUP is asking both IPV4 and IPV6 to DPS into two separate queries, as DPS has not an IPV6 to answer then it responds error code 3 (which is not expected because the hostname exists, even only with ipv4 addresses), then nslookup consider that the process has errors. The only workaround is to stop asking IPV6 addresses to DPS ``` nslookup -po=5354 -type=A kafka.docker 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#5354 Non-authoritative answer: Name: kafka.docker Address: 172.21.0.3 ``` That's a simple issue to fix on DPS, hope to fix it in the next days.

kerem commented 2026-02-26 04:34:22 +03:00

Author

Owner

Copy link

@cmiguelcabral commented on GitHub (Dec 20, 2025):

That would be great.
Nginx doesn't seem to handle well the way dps is working now.
The truth is that dnsmasq doesn't do the same thing, if there is no IPv6, it just responds the IPv4.

<!-- gh-comment-id:3677236847 --> @cmiguelcabral commented on GitHub (Dec 20, 2025): That would be great. Nginx doesn't seem to handle well the way dps is working now. The truth is that dnsmasq doesn't do the same thing, if there is no IPv6, it just responds the IPv4.

kerem commented 2026-02-26 04:34:22 +03:00

Author

Owner

Copy link

@mageddo commented on GitHub (Dec 24, 2025):

5.6.1 is out, appreciate feedback, thanks in advance.

<!-- gh-comment-id:3688309070 --> @mageddo commented on GitHub (Dec 24, 2025): [5.6.1][1] is out, appreciate feedback, thanks in advance. [1]: https://github.com/mageddo/dns-proxy-server/releases/tag/5.6.1-snapshot

kerem commented 2026-02-26 04:34:22 +03:00

Author

Owner

Copy link

@cmiguelcabral commented on GitHub (Dec 25, 2025):

5.6.1 is out, appreciate feedback, thanks in advance.

Working perfectly!

Thank you very much for all your work!!

<!-- gh-comment-id:3690840064 --> @cmiguelcabral commented on GitHub (Dec 25, 2025): > [5.6.1](https://github.com/mageddo/dns-proxy-server/releases/tag/5.6.1-snapshot) is out, appreciate feedback, thanks in advance. Working perfectly! Thank you very much for all your work!!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

gh-pages

develop

feat/138_2

feat/629

feat/594

5.9.0

5.9.0-snapshot

5.8.4

5.8.4-snapshot

5.8.3-snapshot

5.8.2-snapshot

5.8.1-snapshot

5.8.0-snapshot

5.7.0-snapshot

5.6.2-snapshot

5.6.1-snapshot

5.6.0-snapshot

5.5.1-snapshot

5.5.0-snapshot

5.4.0-snapshot

5.3.0-snapshot

5.2.0-snapshot

5.1.3-snapshot

5.1.2-snapshot

5.1.0-snapshot

5.0.5-snapshot

5.0.3-snapshot

5.0.2-snapshot

5.0.1-snapshot

5.0.0-snapshot

4.3.0-snapshot

4.2.0-snapshot

4.0.0

4.0.0-snapshot

3.32.7

3.32.7-snapshot

3.32.6

3.32.6-snapshot

3.32.5-snapshot

3.32.4

3.32.4-snapshot

3.32.3

3.32.3-snapshot

3.32.2-snapshot

3.32.1-snapshot

3.32.0-snapshot

3.31.1-snapshot

3.31.0-snapshot

3.30.5-snapshot

3.30.4

3.30.4-snapshot

3.30.3-snapshot

3.30.2-snapshot

3.30.1

3.30.1-snapshot

3.30.0-snapshot

3.29.0-snapshot

3.27.0

3.27.0-snapshot

3.26.0-snapshot

3.25.14

3.25.14-snapshot

3.25.13-snapshot

3.25.12-snapshot

3.25.11

3.25.11-snapshot

3.25.10

3.25.10-snapshot

3.25.9-snapshot

3.25.8-snapshot

3.25.7-snapshot

3.25.6-snapshot

3.25.4-snapshot

3.25.3-snapshot

3.25.2-snapshot

3.25.1-snapshot

3.25.0-snapshot

3.24.2

3.24.2-snapshot

3.24.1

3.24.1-snapshot

3.24.0-snapshot

3.23.0-snapshot

3.22.2-snapshot

3.22.3-snapshot

3.22.1-snapshot

3.21.3-snapshot

3.22.0-snapshot

3.21.2-snapshot

3.21.1-snapshot

3.20.0-snapshot

3.21.0-snapshot

3.19.7-snapshot

3.19.6-snapshot

3.19.5-snapshot

3.19.4-snapshot

3.19.3-snapshot

3.19.2-snapshot

3.19.1

3.19.1-snapshot

3.19.0

3.18.5-snapshot

3.18.4-snapshot

3.18.3-snapshot

3.18.2

3.18.2-snapshot

3.18.1-snapshot

3.18.0-snapshot

3.17.3-snapshot

3.17.2-snapshot

3.17.1-snapshot

3.17.0-snapshot

3.16.3-snapshot

3.16.2-snapshot

3.16.1-snapshot

3.16.0-snapshot

3.15.13-snapshot

3.15.12-snapshot

3.15.11-snapshot

3.15.10-snapshot

3.15.9-snapshot

3.15.8-snapshot

3.15.7-snapshot

3.15.6-snapshot

3.15.5-snapshot

3.15.4-snapshot

3.15.3-snapshot

3.15.2-snapshot

3.15.1-snapshot

3.15.0-snapshot

3.14.5

3.14.4

3.14.3

3.14.3-snapshot

3.14.2-snapshot

3.14.1-snapshot

3.14.0-snapshot

3.13.1

3.13.1-snapshot

3.13.0-snapshot

3.12.1

3.12.0

3.11.0

3.10.2-snapshot

3.10.3-snapshot

3.10.4-snapshot

3.10.5-snapshot

3.10.1-snapshot

3.9.2

3.9.1

3.9.0

3.8.1-last-version-with-quarkus

3.8.1

3.8.0

3.7.0

3.6.0

3.5.3

3.5.2

3.5.0

3.4.0-beta

3.3.0-beta

3.2.5-beta

3.2.4-beta

3.2.3-beta

3.2.2-beta

3.2.1-beta

3.2.0-beta

3.1.7-beta

3.1.6-beta

3.1.5-beta

3.1.4-beta

3.1.3-beta

3.1.2-beta

b-jre-8

3.1.1-beta

3.1.0-beta

3.0.4-beta

3.0.3-beta

3.0.2-beta

3.0.1-beta

v2-golang

2.19.5

2.19.4

2.19.3

2.19.2

2.19.1

2.19.0

2.18.7

2.18.6

2.18.5

2.18.4

2.18.3

2.18.2

2.18.1

2.18.0

2.17.4

2.17.3

2.17.2

2.17.1

2.17.0

2.16.0

2.15.0

2.14.6

2.14.5

2.14.4

2.14.2

2.14.1

2.14.0

2.13.2

2.13.1

2.13.0

2.12.0

2.11.0

2.10.4

2.10.3

2.10.2

2.10.1

2.10.0

2.9.1

2.9.0

2.8.0

2.7.0

2.6.1

2.6.0

2.5.4

2.5.3

2.5.2

2.5.1

2.5.0

2.4.1

2.4.0

2.3.3

2.2.3

2.2.2

2.2.1

2.2.0

2.1.8

2.1.7

2.1.6

2.1.5

2.1.2

2.1.1

2.1.0

2.0.21

2.0.20

2.0.19

2.0.18

2.0.17

2.0.16

2.0.9

2.0.5

2.0.4

v1-nodejs

1.8.1

1.8.0

1.7.7

1.7.6

1.7.5

1.7.4

1.7.3

1.7.2

1.7.1

1.7.0

1.6.9

1.6.8

1.6.7

1.6.6

1.6.5

1.6.4

1.6.3

1.6.2

1.6.1

1.6.0

1.5.0

1.4.0

1.3.5

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

peteris-version

1.1.4-peteris-version

1.2.0

1.1.3

1.1.2

1.1.1

1.1.0

1.0.1

1.0.0

Labels

Clear labels   

bug

  

confirmed

  

discussion

  

duplicate

  

enhancement

  

feature

  

feature-request

  

not-planned

  

pull-request

Mirrored from GitHub Pull Request

  

secondary-feature

  

stale

  

triage

  

waiting-feedback

No labels

bug

confirmed

discussion

duplicate

enhancement

feature

feature-request

not-planned

pull-request

secondary-feature

stale

triage

waiting-feedback

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/dns-proxy-server-mageddo#199

No description provided.