From https://kevinlocke.name/bits/2017/01/20/formerr-from-microsoft-dns-server-for-dig/

dig returns a result like this:

	$ dig example.domain

	; <<>> DiG 9.11.0-P3 <<>> example.domain
	;; global options: +cmd
	;; Got answer:
	;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 35046
	;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
	;; WARNING: recursion requested but not available

	;; OPT PSEUDOSECTION:
	; EDNS: version: 0, flags:; udp: 4096
	; COOKIE: bce218e32f7fe8ec (echoed)
	;; QUESTION SECTION:
	;example.domain                 IN      A

	;; Query time: 1 msec
	;; SERVER: 10.0.1.11#53(10.0.1.11)
	;; WHEN: Thu Mar 16 10:07:21 PDT 2017
	;; MSG SIZE  rcvd: 65

DIG 9.11 and later send the DNS COOKIE option, which older Microsoft DNS
servers do not understand and treat as an error. The workaround is to use the
"+nocookie" or "+noedns" option with dig, e.g.

	$ dig +nocookie example.domain