The FORMERR messages are malformed negative responses. Complain to the operator of the site. Azure is adding the wrong SOA record to the negative response. It should be for the zone which holds the record not some other random zone.
The REFUSED will likely be a bad delegation pointing to a server that is no longer serving the zone. Again contact the operator of the zone in question. -- Mark Andrews > On 28 May 2026, at 17:37, [email protected] wrote: > > I'm testing 9.21.22 here, and getting lots of logging of the type > "REFUSED unexpected RCODE resolving ...". Example query which > results in such logging is asking a 9.21.22 resolver > > dig keyvalueservice.fe.apple-dns.net > > and the resolver logs > > named[3441]: REFUSED unexpected RCODE resolving > 'keyvalueservice.fe.apple-dns.net/A/IN': 2600:9000:5306:2400::1#53 > named[3441]: REFUSED unexpected RCODE resolving > 'keyvalueservice.fe.apple-dns.net/A/IN': 2600:9000:5302:ec00::1#53 > named[3441]: REFUSED unexpected RCODE resolving > 'keyvalueservice.fe.apple-dns.net/A/IN': 2600:9000:5301:1f00::1#53 > named[3441]: REFUSED unexpected RCODE resolving > 'keyvalueservice.fe.apple-dns.net/A/IN': 205.251.198.36#53 > named[3441]: REFUSED unexpected RCODE resolving > 'keyvalueservice.fe.apple-dns.net/A/IN': 205.251.194.236#53 > named[3441]: REFUSED unexpected RCODE resolving > 'keyvalueservice.fe.apple-dns.net/A/IN': 205.251.196.100#53 > named[3441]: REFUSED unexpected RCODE resolving > 'keyvalueservice.fe.apple-dns.net/A/IN': 205.251.193.31#53 > named[3441]: REFUSED unexpected RCODE resolving > 'keyvalueservice.fe.apple-dns.net/A/IN': 2600:9000:5304:6400::1#53 > > If I try 9.21.22 on one of our active resolvers (~ 30k qps or more), > there is so much logging of this type that it completely swamps any > other logging, making the logging basically unusable. The only way I > have found of getting rid of REFUSED logging is to use > > category default { null; }; > > but that also drops basically *all* other logging, which is not > desirable. > > We have much the same problem with logging of "FORMERR resolving ...". > e.g. > > named[3441]: DNS format error from 2a01:111:4000:f00::f0#53 resolving > mr-b01.tm-azurefd.net/HTTPS for 2001:8c0:2002:4:193:69:2:2#13481: Name > trafficmanager.net (SOA) not subdomain of zone tm-azurefd.net -- invalid > response > named[3441]: FORMERR resolving 'mr-b01.tm-azurefd.net/HTTPS/IN': > 2a01:111:4000:f00::f0#53 > named[3441]: DNS format error from 2620:1ec:8ec:f00::f0#53 resolving > mr-b01.tm-azurefd.net/HTTPS for 2001:8c0:2002:4:193:69:2:2#13481: Name > trafficmanager.net (SOA) not subdomain of zone tm-azurefd.net -- invalid > response > named[3441]: FORMERR resolving 'mr-b01.tm-azurefd.net/HTTPS/IN': > 2620:1ec:8ec:f00::f0#53 > named[3441]: DNS format error from 2603:1061:0:f00::f0#53 resolving > mr-b01.tm-azurefd.net/HTTPS for 2001:8c0:2002:4:193:69:2:2#13481: Name > trafficmanager.net (SOA) not subdomain of zone tm-azurefd.net -- invalid > response > named[3441]: FORMERR resolving 'mr-b01.tm-azurefd.net/HTTPS/IN': > 2603:1061:0:f00::f0#53 > named[3441]: DNS format error from 150.171.16.240#53 resolving > mr-b01.tm-azurefd.net/HTTPS for 2001:8c0:2002:4:193:69:2:2#13481: Name > trafficmanager.net (SOA) not subdomain of zone tm-azurefd.net -- invalid > response > named[3441]: FORMERR resolving 'mr-b01.tm-azurefd.net/HTTPS/IN': > 150.171.16.240#53 > named[3441]: DNS format error from 13.107.222.240#53 resolving > mr-b01.tm-azurefd.net/HTTPS for 2001:8c0:2002:4:193:69:2:2#13481: Name > trafficmanager.net (SOA) not subdomain of zone tm-azurefd.net -- invalid > response > named[3441]: FORMERR resolving 'mr-b01.tm-azurefd.net/HTTPS/IN': > 13.107.222.240#53 > named[3441]: DNS format error from 150.171.10.240#53 resolving > mr-b01.tm-azurefd.net/HTTPS for 2001:8c0:2002:4:193:69:2:2#13481: Name > trafficmanager.net (SOA) not subdomain of zone tm-azurefd.net -- invalid > response > named[3441]: FORMERR resolving 'mr-b01.tm-azurefd.net/HTTPS/IN': > 150.171.10.240#53 > > and again the only way I have found of getting rid of these messages > (because they're swamping other log messages) is to send category > default to null. > > Any better way of getting rid of such REFUSED and FORMERR logging? > > Steinar Haug, AS2116 > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
