Running DNS Debug Logging to gather more information on interesting DNS traffic.
Log shows a PTR lookup to 2 of 3 DNS forwarders with SERVFAIL. Then there is an A record lookup then there is a subsequent PTR lookup to the DNS server provided in the previous A record lookup DATA section. How does my DNS server use a DNS server IP that is neither a forwarder or root hint server. It's like my DNS server is unhappy with the SERVFAIL responses and fetches some unknown DNS server to query.
There are other DNS external server my internal DNS server will query, this is an example I'm focused on because the IP 195.22.26.248 is a sinkhole.
2 SERVFAIL PTR requests:
5/28/2019 10:55:28 AM 0870 PACKET 0000021D4647AD00 UDP Rcv 66.155.216.122 83f8 R Q [8281 DR SERVFAIL] PTR (3)185(3)142(3)237(3)204(7)IN-ADDR(4)ARPA(0)
UDP response info at 0000021D4647AD00
5/28/2019 10:55:28 AM 0870 PACKET 0000021D469FAD90 UDP Rcv 207.59.153.242 83f8 R Q [8281 DR SERVFAIL] PTR (3)185(3)142(3)237(3)204(7)IN-ADDR(4)ARPA(0)
UDP response info at 0000021D469FAD90
Unusual A record lookup to DNS forwarder
5/28/2019 10:55:32 AM 0AD4 PACKET 0000021D4949F920 UDP Snd 207.59.153.242 d011 Q [0001 D NOERROR] A (3)ns1(19)whartontechnologies(3)com(0)
UDP question info at 0000021D4949F920
ANSWER SECTION:
Offset = 0x002d, RR count = 0
TYPE A (1)
CLASS 1
TTL 89
DLEN 4
DATA 195.22.26.248
Unusual PTR lookup to unknown DNS server (provided in the previous A record lookup results)
5/28/2019 10:55:28 AM 0870 PACKET 0000021D473A50B0 UDP Snd 195.22.26.248 c021 Q [0000 NOERROR] PTR (3)185(3)142(3)237(3)204(7)IN-ADDR(4)ARPA(0)
UDP question info at 0000021D473A50B0
Any DNS guru can help me understand the process how or why an internal dns server will query an unknown DNS server?