DNS forwarding fails

  • Thread starter Thread starter Eddi
  • Start date Start date
E

Eddi

Greetings to all;
I have a problem with Forwarding.
My setup is as follows:
Machine 1 (MAC1):
Exchange 2000 SP3 Enterprise running on Windows 2000 Advance Server (patched
with the latest updates)
Configured SMTP connector to forward outgoing mails to MAC3

Machine 2 (MAC2):
Windows 2000 Advance Server (patched with the latest updates) Domain
Controller + DNS (Primary)
DNS is configured to forward queries to external public DNS servers.

Now the problem is MAC2 does not forward MX queries from MAC1 to the public
DNS servers. Therefore MAC1 fails to deliver outbound mails (inbound is
working). I checked MAC2 using NSLOOKUP, it does not resolves external name
queries. There seems to be no problem with routing (network config), because
I can do NSLOOKUP successfully from MAC2 to any public DNS server (therefore
I guess, DNS should also be able to do the same). Under monitoring tab,
Simple test queries PASSED but Recursive FAILED.

Please help me with this problem.

Thanks in advance,
Eddi
 
Well, this is wired! I just restarted the DNS service on MAC2, and it
started working. DNS on MAC2 is now forwarding unresolved queries to
external DNS servers. All queued up outbound mails are delivered. But, this
worked only for 15-20 minutes. After that the DNS on MAC2 again stopped
forwarding unresolved queries to external DNS servers. No error events are
logged!
 
E> Well, this is wired! I just restarted the DNS service on MAC2, and it
E> started working. DNS on MAC2 is now forwarding unresolved queries to
E> external DNS servers. All queued up outbound mails are delivered. But,
E> this worked only for 15-20 minutes. After that the DNS on MAC2 again
E> stopped forwarding unresolved queries to external DNS servers. No error
E> events are logged!

I've seen this happening sometimes, the problem is that the MS DNS
server will skip the first forwarder if it doesn't receive answers for its
queries and will start using the second forwarder, if the second fwd
fails it will step up and so on; now, in case it reaches the end of the
list it will try the first fwd again, and if this fails it will stop
forwarding
queries for a certain amount of time; soo ....

Be sure that your firewalls allows DNS queries to remote port 53
on both UDP _and_ TCP

Open a command prompt on your DNS machine, run nslookup and
enter the command "server <a forwarder ip here>" to check if the
DNS machine is able to reach the external forwarders

Change if possible the forwarders and pick some more reliable
DNS server; or (better) setup your DNS to use root-hints and
completely avoid forwarders
 
Hi Eddi,

Thanks for your posting here.

Please make sure that you only point to the DNS server with forwarder in
the clients.

You can also enable DNS logging on the DNS server. Please right the DNS
server, click Properties. Click the Logging tab and check all the items.

Now run NSlookup on the client to query a internet address. When the
problem occur, please check if there is any clue in the following file.

%SystemRoot%\System32\DNS\Dns.log.

Wish it helps.

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
I checked and rechecked my firewall. I'm running ISA as firewall, outbound
DNS (port 53) from the Internal DNS server is allowed (I checked the ISA
server logs, no DNS packets are blocked). Further, I can do nslookup from
Internal DNS server to all external DNS servers specified as forwarders. I
ran ethereal on Internal DNS found that it simply ignored queries from the
mail server.

I will explore the DNS logs in detail. Shall post again.

I think its a good idea to use root-hints.
 
Is the DNS also the same server running ISA? If so, post your IPconfig /all
from the DNS/ISA server. If not, please ignore.

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - COMPLETE SPAM Protection
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 
Back
Top