DNS Server Drops Replies?

  • Thread starter Thread starter Kim
  • Start date Start date
K

Kim

If a Microsoft DNS server received a DNS reply from an IP
address that was not defined in its IP Forwarding table -
would it drop it?

Let's say the DNS server was configured with IP-A in its
forwarding table. However, when the reply comes back, it
is from IP-B. Does it care?

Thanks,
Kim
 
Kim said:
If a Microsoft DNS server received a DNS reply from an IP
address that was not defined in its IP Forwarding table -
would it drop it?
Click to expand...

This question may not even mean what you intended to ask....

Most stations (millions and millions), even whole networks (up to
millions), are not listed in the routing table of machines and seldom
even in the routing table of ROUTERS.

We list those we can contact directly or through known routers and
send the other traffic to the "router of last resort" (better known as:
Default Gateway.)
Let's say the DNS server was configured with IP-A in its
forwarding table. However, when the reply comes back, it
is from IP-B. Does it care?
Click to expand...

I don't understand your question.

The routing (or forwarding) table has almost nothing to do with the
DNS behavior -- other than that the requestor and responder have to
communicate.
 
K> If a Microsoft DNS server received a DNS reply from an IP
K> address that was not defined in its IP Forwarding table -
K> would it drop it?

What do you mean by "its IP Forwarding table" ?
 
If the response has the same DNS ID, it will not. Some firewall will though. For more information please refer to 247681 Microsoft
DNS Server Cannot Resolve Some Domain Names http://support.microsoft.com/?id=247681

Thank you,
Mike Johnston
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from
which they originated.
 
I have a DNS server that has a single IP address
configured in its IP Frowarding table. So, if this DNS
server does not have the answer to a DNS request from a
client in its local table, it will proxy on behalf of the
client and send a DNS query to the IP address in the table.

When the reply comes back, the source IP address in the
reply packet at layer-3 is not the same IP address that
the packet was sent to.

This is because the configured forwarding IP belongs to
a "server load balancer" which will receive the DNS query
and send it to one of several DNS servers who can answer
the query. Because the load balancer is not keeping state
nor is it performaing source IP NAT, the packet is sourced
from the actual DNS server that was chosen to get the
packet when it returns to the original DNS server who
could not answer the query.

Because the original DNS server sent the packet to, let's
say 10.0.0.1, but the response comes from 10.0.0.5, will
the original DNS server ignore the response because it
received a reply from an IP address other than "10.0.0.1"?

I have taken traces from client workstations, and they
don't care what IP address the response comes from. All of
our clients have configured DNS entries in their IP stack
to point to a "virtual IP" address on a load balancer and
will receive replies from various DNS boxes just fine.
But, I did not know if the DNS server cared or not. I have
not been able to schedule time to take a trace to know for
sure.

The problem is, whenever the IP Forwarding table is
configured with the "virtual IP address" of the load
balancer, then no one is able to resolve DNS queries that
the original DNS server does not know about. However, when
we configure the REAL IP addresses of the upstream DNS
servers in the IP forwarding table - everything works fine.

Hope this makes sense,
Kim
 
Read Michael's replies (above) and the included links.

Also consider this (and PLEASE post if it helps): There is a setting
in the DNS Advanced properties that I understand to mean something
a bit different that YOUR problem but might be worth trying...

It's a check box for "Secure Cache Against Pollution".

It is supposed to be there to reject replies that include resolution for
questions which were NOT asked --but give it a try.

If you disable this protection, you should KNOW and TRUST all DNS
servers the (interior) server queries -- which presumably you do since I
understand it is forwarding to an "trusted" server for external resolution.
 
Thanks Herb. I did look see Michaels reply. Unfortunately,
there is no firewall involved here.

I will check the setting you mentioned. If it works, I
will post.

Thanks,
Kim
 
Back
Top