From https://kevinlocke.name/bits/2017/01/20/formerr-from-microsoft-dns-server-for-dig/ dig returns a result like this: $ dig example.domain ; <<>> DiG 9.11.0-P3 <<>> example.domain ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 35046 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: bce218e32f7fe8ec (echoed) ;; QUESTION SECTION: ;example.domain IN A ;; Query time: 1 msec ;; SERVER: 10.0.1.11#53(10.0.1.11) ;; WHEN: Thu Mar 16 10:07:21 PDT 2017 ;; MSG SIZE rcvd: 65 DIG 9.11 and later send the DNS COOKIE option, which older Microsoft DNS servers do not understand and treat as an error. The workaround is to use the "+nocookie" or "+noedns" option with dig, e.g. $ dig +nocookie example.domain