I have an internal DNS server that is authoritative for my local zone (home.arpa.) which RouterOS’s DNS resolver is configured to forward to. I just noticed that it rewrites NXDOMAIN responses as NODATA.
With the following zone file:
$ORIGIN home.arpa.
@ IN SOA @ nobody.invalid. (1 3600 1200 604800 3600)
@ NS @
and forwarder configured as:
/ip/dns/forwarders/add dns-servers=2001:db8::beef name=mydns
/ip/dns/static/add forward-to=mydns match-subdomain=yes name=home.arpa ttl=1h type=FWD
when I query the authoritative nameserver directly:
> dig @2001:db8::beef -t SOA nohost.home.arpa.
; <<>> DiG 9.10.6 <<>> @2001:db8::beef -t SOA nohost.home.arpa.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51619
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nohost.home.arpa. IN SOA
;; AUTHORITY SECTION:
home.arpa. 3600 IN SOA nohost.home.arpa. nobody.invalid. 1 3600 1200 604800 3600
;; Query time: 5 msec
;; SERVER: 2001:db8::beef#53(2001:db8::beef)
;; WHEN: Thu Apr 10 19:36:16 PDT 2025
;; MSG SIZE rcvd: 103
when I query via RouterOS’s DNS resolver:
> dig @2001:db8::1 -t SOA nohost.home.arpa.
; <<>> DiG 9.10.6 <<>> @2001:db8::1 -t SOA nohost.home.arpa.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41578
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;nohost.home.arpa. IN SOA
;; Query time: 5 msec
;; SERVER: 2001:db8::1#53(2001:db8::1)
;; WHEN: Thu Apr 10 19:39:08 PDT 2025
;; MSG SIZE rcvd: 28
Note how it rewrote error code (NXDOMAIN → NOERROR) and removed the authority section. This behavior seems very wrong to me. What do you think?