DNS fails external domain resolution

  • Thread starter Thread starter Jim Mapes
  • Start date Start date
J

Jim Mapes

I'm trying to shut down an old NT4 server running DNS and use DNS on a
new Win2003 server. The new DNS works fine internally but will not
resolve external domain queries. This was tested using nslookup;
queries using NT4 DNS to www.ibm.com are OK, the same query using
W2003 DNS fails.

I've checked the following under W2003 DNS:
- No root domain is present.
- Root hints is set to i.root-servers.net. (192.36.148.17)
- Forwarders are set to IP addresses of two DNS servers of our ISP,
for DNS domain 'All other DNS domains'.

Can someone point out what I may be missing here?
Thanks,
Jim
 
In
Jim Mapes said:
I'm trying to shut down an old NT4 server running DNS and use DNS on a
new Win2003 server. The new DNS works fine internally but will not
resolve external domain queries. This was tested using nslookup;
queries using NT4 DNS to www.ibm.com are OK, the same query using
W2003 DNS fails.

I've checked the following under W2003 DNS:
- No root domain is present.
- Root hints is set to i.root-servers.net. (192.36.148.17)
- Forwarders are set to IP addresses of two DNS servers of our ISP,
for DNS domain 'All other DNS domains'.

Can someone point out what I may be missing here?
Thanks,
Jim
Click to expand...

You only have one root hint server listed?


On the Advanced tab, is "Disable recursion" checked?
 
In
Kevin D. Goodknecht said:
In

You only have one root hint server listed?


On the Advanced tab, is "Disable recursion" checked?

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
Click to expand...


Kevin, may also be an EDNS0 issue. Let's disable it and see if that helps:

832223 - Some DNS Name Queries Are Unsuccessful After You Upgrade Your DNS
Server to Windows Server 2003:
http://support.microsoft.com/?id=832223

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
You only have one root hint server listed?

Yes, just one root hint server, i.root-servers.net. (192.36.148.17)

"Disable recursion" is NOT checked.

I set enableednsprobes to 0, per Q832223, but that didn't help, even
after stopping/starting the DNS service.

I had already tried nslookup earlier with my firewall packet filtering
down, that didn't make a difference, so it doesn't appear to be a
problem with blocked packets at my firewall.

Still scratching my head.
Thanks.
Jim
 
In Jim Mapes <[email protected]> posted their thoughts, then I offered mine

Try using this as a forwarder:
4.2.2.2


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
With 4.2.2.2 as the first forwarder, it works. With it removed and using
the 2 forwarders of my ISP, it doesn't. Progress, but I don't understand
this. I guess I could leave 4.2.2.2 as a forwarder, but I don't know who
this is. Even if I do, I'd like to understand why it works with 4.2.2.2 but
not with my ISP's DNS as forwarders.

Thanks.

Jim
 
In
Jim Mapes said:
With 4.2.2.2 as the first forwarder, it works. With it removed and
using the 2 forwarders of my ISP, it doesn't. Progress, but I don't
understand this. I guess I could leave 4.2.2.2 as a forwarder, but I
don't know who this is. Even if I do, I'd like to understand why it
works with 4.2.2.2 but not with my ISP's DNS as forwarders.

Thanks.

Jim
Click to expand...


Because they have it disabled. It's called the RA bit (recursion available).
Try it yourself...in a CMD promot run:

nslookup -d2
yourIspDnsAddress

and you can see the RD question "want recursion", and the reponse,
"recursion available". Here's 4.2.2.2's response below. Make sure you look
under the "Got Answer" Section. Test your own ISP's DNS. Many ISPs turn that
feature off. You can too under your own MS DNS to keep others from using
your DNS server as a forwarder by going into DNS properties, advanced tab,
Disable Recursion check box.

~~~~~~~~~~~~~~~~~~~~~
Got answer (275 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion
avail.
questions = 1, answers = 1, authority records = 5, additional = 5
~~~~~~~~~~~~~~~~~~~~~

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
In
Jim Mapes said:
With 4.2.2.2 as the first forwarder, it works. With it removed and
using the 2 forwarders of my ISP, it doesn't. Progress, but I don't
understand this. I guess I could leave 4.2.2.2 as a forwarder, but I
don't know who this is. Even if I do, I'd like to understand why it
works with 4.2.2.2 but not with my ISP's DNS as forwarders.

Thanks.

Jim
Click to expand...

You are probably using your ISP's Authoritative Content DNS servers. Many
ISPs especially the large ones have DNS servers used only for hosting public
domain zones that have recursion disabled. I can almost bet you that they
will have probably many other DNS servers used as caching DNS servers. They
are usually dispersed geographically, check your ISPs home page.
 
I don't mean to beat this to death, but I would like to have a better
understanding of this. The responses I got back to the -d2 query are listed
below. In these queries, 10.1.20.44 is my W2003 DNS, 101.20.11 is my old
NT4 DNS. I queried our ISP's primary and secondary DNS servers. If I read
these responses correctly, both my old and new DNS servers are asking for
recursion, and both of my ISP's DNS servers have recursion available.

Both my old (NT4) and new (W2003) DNS servers have the forwarders set to the
same addresses - two of my ISP's DNS servers. For this test, I added
4.2.2.2 to my W2003 DNS forwarders list. If I remove 4.2.2.2 from the W2003
DNS forwarders list, external resolution fails. Which leads to the
question: If both my old and new DNS servers want recursion, and both of my
ISP's DNS servers have recursion available, why does external resolution
work with my old DNS but not my new DNS (without adding 4.2.2.2)?

I guess the quick solution is to just leave 4.2.2.2 as a forwarder on my new
DNS server, but I'm concerned with the long term availability of this
address. What's to keep them from deciding to disable recursion?

My nslookup results are posted below:

From my Win2003 DNS:

SendRequest(), len 41
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
44.20.1.10.in-addr.arpa, type = PTR, class = IN

------------
------------
Got answer (68 bytes):
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0

QUESTIONS:
44.20.1.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 44.20.1.10.in-addr.arpa
type = PTR, class = IN, dlen = 15
name = grsrv9.kv.com
ttl = 1200 (20 mins)

------------
Server: grsrv9.kv.com
Address: 10.1.20.44

------------
SendRequest(), len 45
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
10.184.177.204.in-addr.arpa, type = PTR, class = IN

------------
------------
Got answer (71 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0

QUESTIONS:
10.184.177.204.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 10.184.177.204.in-addr.arpa
type = PTR, class = IN, dlen = 14
name = k2.iserv.net
ttl = 8 (8 secs)

------------
Name: k2.iserv.net
Address: 204.177.184.10
=================================================

From my NT4 DNS:

------------
SendRequest(), len 41
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
11.20.1.10.in-addr.arpa, type = PTR, class = IN

------------
------------
Got answer (67 bytes):
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0

QUESTIONS:
11.20.1.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 11.20.1.10.in-addr.arpa
type = PTR, class = IN, dlen = 14
name = kvnt1.kv.com
ttl = 3600 (1 hour)

------------
Server: kvnt1.kv.com
Address: 10.1.20.11

------------
SendRequest(), len 45
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
15.184.177.204.in-addr.arpa, type = PTR, class = IN

------------
------------
Got answer (139 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 2, additional = 2

QUESTIONS:
15.184.177.204.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 15.184.177.204.in-addr.arpa
type = PTR, class = IN, dlen = 19
name = everest.iserv.net
ttl = 8 (8 secs)
AUTHORITY RECORDS:
-> 184.177.204.in-addr.arpa
type = NS, class = IN, dlen = 5
nameserver = k2.iserv.net
ttl = 8 (8 secs)
-> 184.177.204.in-addr.arpa
type = NS, class = IN, dlen = 2
nameserver = everest.iserv.net
ttl = 8 (8 secs)
ADDITIONAL RECORDS:
-> k2.iserv.net
type = A, class = IN, dlen = 4
internet address = 204.177.184.10
ttl = 86400 (1 day)
-> everest.iserv.net
type = A, class = IN, dlen = 4
internet address = 204.177.184.15
ttl = 86400 (1 day)

------------
Name: everest.iserv.net
Address: 204.177.184.15

Thanks.
Jim
 
Back
Top