We have our Microsoft AD DNS servers replicating to our Sidewinder - which uses BIND for its DNS server. We ran into a situation where reverse lookup requests to the Sidewinder returned back a truncated UDP packet to the DNS client. When we added another DNS Microsoft Domain Controller, it added that name in the authoritative nameservers section of the UDP message which put it beyond the 512 byte limit. It was at about 500 bytes before we added the domain controller - then it moved to 529 which caused BIND to set the truncation flag bit in the UDP header causing the DNS client to come back in TCP mode to get the full message.

Microsoft DNS doesn't send back the "Authoritative nameservers" section in its UDP responses to reverse lookups - they probably learned that the hard way and took it out and only send back the Question and Answer section.

Is there a way to modify BIND to not send the "Authoritative nameservers" section in its UDP responses and only the Question and Answer?

Hi,

You can use:
to limit each packet to 512 bytes. In your case just max-udp-size should do.

Regards

Wouldn't the truncation bit still be set by BIND on the Sidewinder then? Or does the act of limiting this remove the "Authentication nameservers" section of the UDP reverse lookup return packet?

Thanks.

Yes, I guess the truncation bit will be set as the response still does not fit in 512 bytes.
No it won't. But reading the bind documentation, I've found the option:
that removes the Authority section in the response. So I guess that will do in your case

Regards