DNS root servers

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a little problem I ve set up a Windows 2000 DNS server behind NAT to serve only for my local clients to go to Internet and to see computers in my local network, but know in DNS event log approx. every two hours I get error log which says "The DNS encountered a bad packet from [IP address of root server]. Packet processing leads beyound packet lenght.", and the message goes for all 13 root servers in root servers list and the time when it reported that to is the same for all root server errors. Everything works fine name resolution and everything but I always get those message which is pretty anoying, so any answer would be great?

Thank you very much
 
In Dominik <[email protected]> posted a question
Then Kevin replied below:
: I have a little problem I ve set up a Windows 2000 DNS server behind
: NAT to serve only for my local clients to go to Internet and to see
: computers in my local network, but know in DNS event log approx.
: every two hours I get error log which says "The DNS encountered a bad
: packet from [IP address of root server]. Packet processing leads
: beyound packet lenght.", and the message goes for all 13 root servers
: in root servers list and the time when it reported that to is the
: same for all root server errors. Everything works fine name
: resolution and everything but I always get those message which is
: pretty anoying, so any answer would be great?
:
: Thank you very much

These errors can usually be attributed to an illegal character in a machine
name, such as an underscore. We get this question popping up occasionally,
what always comes to my mind is why is the query going to the root servers.
It should not if all machines have the correct domain search list on the DNS
tab, the search list should only contain local domains for which you would
want to access only by hostname.
If you can post the ipconfig /all from your DC so we can begin to diagnose
the problem.
 
In
Dominik said:
I have a little problem I ve set up a Windows 2000 DNS server behind
NAT to serve only for my local clients to go to Internet and to see
computers in my local network, but know in DNS event log approx.
every two hours I get error log which says "The DNS encountered a bad
packet from [IP address of root server]. Packet processing leads
beyound packet lenght.", and the message goes for all 13 root servers
in root servers list and the time when it reported that to is the
same for all root server errors. Everything works fine name
resolution and everything but I always get those message which is
pretty anoying, so any answer would be great?

Thank you very much
Click to expand...

What's the actual Event error Event ID#?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Well IPconfig /all is a little problem because the server is at the client side so I am not there all the time, can you just help me understan this a little more, which machine name should be a problem, why underscore, what do you need from ipconfig /all because the only sufix that comes from DHCP is the sufix of local domain Iam sure in that?

Thanx on all you answers
 
In Dominik <[email protected]> posted a question
Then Kevin replied below:
: Well IPconfig /all is a little problem because the server is at the
: client side so I am not there all the time, can you just help me
: understan this a little more, which machine name should be a problem,
: why underscore, what do you need from ipconfig /all because the only
: sufix that comes from DHCP is the sufix of local domain Iam sure in
: that?
:
: Thanx on all you answers

I want to see the ipconfig /all to see the DCs host name, The primary DNS
suffix (which BTW does not come from DHCP), and the domains in the DNS
search list.
If you have an illegal name on your network, it should not be going to the
Root servers, unless there is a problem in the DNS search list.

To give you an example, I have seen users having several domain names in the
DNS search list, including a public name. Any name that you have in the DNS
search list is appended to all queries from that machine if the zone does
not exist DNS will try to forward or use recursion to find the name in the
domain zone even if the zone is hosted elsewhere.

If you have a machine with an underscore in it like machine_name and you
have a domains in the search list for domain.net and domain.com but only
domain.net is in the local DNS when the name is queried for in DNS both of
these domains may be appended to the lookup. Like machine_name.domain.com
and machine_name.domain.net. Remember only domain.net is local so the query
for machine_name.domain.com is forwarded.

This can also be a problem if the domain is domain.local and you have your
ISP's DNS in TCP/IP properties.

I could go on and on about things that could be causing this and it is
easier to look at the ipconfig /all than it is to explain all the things I
would get from seeing it.

Oh yes one more thing, I actually think that Scott was referring to checking
the box on the Forwarder Tab "Do not use recursion" Which in effect means,
your DNS won't go to the Root servers to resolve a name.
 
In
Dominik said:
If I disable recursion how would my local DNS server do a lookup???
Click to expand...

It would use your forwarder. But if the forwarder doesn;t have an answer,
disabling recursion would just stop it from using the Roots.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
But primary DNS suffix comes from domain to which you join when you join
computer to domain, and the thing could be that some of my clients have ISP
dns servers in their local configuration of network properties, so I will
try to get ipconfig /all and then I will post to news, thank you very much.
 
In
Dominik Sturlan said:
But primary DNS suffix comes from domain to which you join when you
join computer to domain, and the thing could be that some of my
clients have ISP dns servers in their local configuration of network
properties, so I will try to get ipconfig /all and then I will post
to news, thank you very much.
Click to expand...

The ISP DNS addresses need to be removed from any machine that is part of an
AD environment. Lot;s of things go wrong when the ISP DNS is involved.

The only place it should show up is as a Forwarder. Not in IP properties
anywhere (DCs and clients).


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In Dominik Sturlan <[email protected]> posted a question
Then Kevin replied below:
: But primary DNS suffix comes from domain to which you join when you
: join computer to domain, and the thing could be that some of my
: clients have ISP dns servers in their local configuration of network
: properties, so I will try to get ipconfig /all and then I will post
: to news, thank you very much.
:

Yes that is correct, the primary DNS suffix does come from the domain and
except for the DC's Primary DNS suffix, it can easily be changed on members
or not even there. Since the event is happening every two hours I suspect a
member client with an improper Primary DNS suffix, Connection suffix, or
domain suffix search list.
If the local DNS does not have a zone for all of these names your DNS server
is sending the request to the Root (I'm thinking of possible single label
suffix) check all machines for these things.
 
Just for my curiosity, how can you change primary DNS suffix on clients that
are members of the domain?
 
In Dominik Sturlan <[email protected]> posted a question
Then Kevin replied below:
: Just for my curiosity, how can you change primary DNS suffix on
: clients that are members of the domain?
:

Network identification tab on system properties.
When you join you have the choice to change the suffix when domain
membership changes, you can go back in and change it at any time. This is
ONLY on members the option is not available on a DC.
Maybe you had someone with Local machine administrator rights that got
curious, or maybe it was not changed when it joined the domain. It happens a
lot on Notebooks, because sometimes they can go home with the users, we've
had quite a few posters here trying to figure out why when the joined their
notebook to a workgroup at home and inadvertantly removed the domain
membership.

If you want to try it your self do this on a domain member:
On System Properties click on the network identification tab, then click the
"Change" button, click the "More" button, then you type in the Primary DNS
Suffix you want and uncheck change suffix when domain membership changes.
Then OK your way out and restart the system.
I would not be a bit surprised if that is not what is going on.
As a matter of fact if this setting is not correct on a server before
DCPROMO you can have a disjointed namespace. That happens regularly, too.
Then you have to run a VBS Script on the DC to correct it because there
isn't anything else you can do, but trash the domain.
 
Back
Top