Mail forwarders stop working when they feel like it

  • Thread starter Thread starter Rick
  • Start date Start date
R

Rick

I work in a small private network in a very large organization.

The network team made some changes this weekend. Ever since, my DNS
forwarding fails to forward at random. I can fix it by stopping and starting
the DNS server service. It's two separate servers, they both do the same
thing. As soon as I restart the service, they start working again for an
undetermined period of time.

The only thing that has changed is the network changes that were made. You
know how network guys are, they will swear up and down that they didn't make
any change that could cause it and it must be my servers having an issue.
Just so happens that they both started doing it at the same time right when
the network change was made. There were no changes of any kind done on
either of the DNS servers and they worked flawlessly prior to this past
weekend when the changes were made. The changes were that they put up a
redundant firewall. They had one going and have virtually clustered it.

Internal queries are fine, just anything outside the internal domain that
would require the forwarders is what stopped working. When on the DNS server
itself, it won't resolve (ex. www.google.com). Set the dns servers nic card
to use the forwarder as one of its DNS servers and it will resolve however
clients that use this DNS server will still not resolve.

No error message in event viewer.

Any ideas from anyone?

All ears here. Windows2000 SP4.

Thanks
 
In
Rick said:
I work in a small private network in a very large organization.

The network team made some changes this weekend. Ever since, my DNS
forwarding fails to forward at random. I can fix it by stopping and
starting the DNS server service. It's two separate servers, they both
do the same thing. As soon as I restart the service, they start
working again for an undetermined period of time.

The only thing that has changed is the network changes that were
made. You know how network guys are, they will swear up and down that
they didn't make any change that could cause it and it must be my
servers having an issue. Just so happens that they both started doing
it at the same time right when the network change was made. There
were no changes of any kind done on either of the DNS servers and
they worked flawlessly prior to this past weekend when the changes
were made. The changes were that they put up a redundant firewall.
They had one going and have virtually clustered it.
Internal queries are fine, just anything outside the internal domain
that would require the forwarders is what stopped working. When on
the DNS server itself, it won't resolve (ex. www.google.com). Set the
dns servers nic card to use the forwarder as one of its DNS servers
and it will resolve however clients that use this DNS server will
still not resolve.
No error message in event viewer.

Any ideas from anyone?

All ears here. Windows2000 SP4.

Thanks
Click to expand...

This almost sounds like in DNS a root zone was created or recursion was
disabled.

On a far off note, which I don;t think has anything to do with it, they may
be allowing UDP 53 but not TCP53 on the one DNS. If the response packet of a
query is larger than 500 bytes, such as domains with numerous resource
records, will revert to TCP with using Windows 2000 DNS.

If it were Windows 2003, I would have said they weren't allowing EDNS0
and/or the firewall was not updated to allow EDNS0 This allows UDP queries
to 1280 bytes eliminating the extra step to switch to TCP, which takes up
more resources.

You'll have to tell them point blank and between the eyes you are having
difficulties since their changes were implemented. If they are good
administrators, they will realize that your complaints are real and will
address and resolve them. If they ignore you, it may come down to a
political issue or job security on their part, both of which I look at as
unprofessional. I wish you luck if this is the case.


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Try using Outlook Express or any other newsreader, configure a news
account, and point it to news.microsoft.com. Anonymous access. It's
easy and it's free:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Life isn't like a box of chocolates or a bowl of cherries or
peaches... Life is more like a jar of jalapenos. What you do today
may burn your butt tomorrow." - Garfield
 
Yes, this may be a chore. While the DNS forwarding is not working, I can
ping the forwarder from my DNS server without issue it just won't go to it
for queries. It is almost as if at some point network connectivity to the
forwarder is broke. The DNS server attempts to talk to the forwarder, sees
that it is not there, and remembers that it was not there so it quits trying
to go to the forwarder from that point on. When I bounce DNS, it starts the
cycle again. Forwarding works fine until it determines that it can no longer
talk to the forwarder and stops.
 
In
Rick said:
Yes, this may be a chore. While the DNS forwarding is not working, I
can ping the forwarder from my DNS server without issue it just won't
go to it for queries. It is almost as if at some point network
connectivity to the forwarder is broke. The DNS server attempts to
talk to the forwarder, sees that it is not there, and remembers that
it was not there so it quits trying to go to the forwarder from that
point on. When I bounce DNS, it starts the cycle again. Forwarding
works fine until it determines that it can no longer talk to the
forwarder and stops.
Click to expand...


Tough one to pinpoint.

I would try one more thing. Change the forwarders. Try 4.2.2.3 and 4.2.2.2.
See if they work better than what you have.

If that doesn't do the trick, and you're saying this ALL happened after
their changes were implemented, and you did not touch a thing, then I would
bank on them being the problem.

Ace
 
For any others that get this problem and find this post:

I ran a network monitor on the system. The test had a client, my DNS server,
and my Forwarder involved. Had the client ping www.google.com and then went
back and looked at the packets. One frame for the request from client to my
DNS, one frame from my DNS to forwarder, one from forwarder with answer back
to my DNS and the last my DNS returning query results to the client.

When not working, you only get the first two parts. The forwarder was not
replying. Spent several hours gathering information. DNS logging showed
essentially the same thing. Showed results to network guys and
lo-and-behold, they found a problem in their firewall.

Typical to where you need to show them what their problem is to convince
them that they indeed have a problem.

So to anyone else that has this problem where the forwarders mysteriously
quit working till you recycle the DNS server service, chances are the server
is fine, you have a network issue. Good luck convincing the network guys.
 
In
Rick said:
For any others that get this problem and find this post:

I ran a network monitor on the system. The test had a client, my DNS
server, and my Forwarder involved. Had the client ping www.google.com
and then went back and looked at the packets. One frame for the
request from client to my DNS, one frame from my DNS to forwarder,
one from forwarder with answer back to my DNS and the last my DNS
returning query results to the client.
When not working, you only get the first two parts. The forwarder was
not replying. Spent several hours gathering information. DNS logging
showed essentially the same thing. Showed results to network guys and
lo-and-behold, they found a problem in their firewall.

Typical to where you need to show them what their problem is to
convince them that they indeed have a problem.

So to anyone else that has this problem where the forwarders
mysteriously quit working till you recycle the DNS server service,
chances are the server is fine, you have a network issue. Good luck
convincing the network guys.
Click to expand...

Just as I thought. Solrry you had to go through all the crap to prove it to
them.

Can you tell us what exactly the problem they found was? That will better
help everyone too. :-)

Thanks!

Ace
 
The short version appears to be that they simply had to re-apply their rule
set to the firewall. He was getting errors that said something like "natted
address is showing as un-natted" or something like that. His firewall
thought that the natted IP's that were coming to it were actual IP's and
reported as so. It appears that his rule doesn't allow that. He tried an
experiment that failed. When he reverted back, the problems quit happening
so I think he just didn't get a good application on his rule set. When he
reverted back, he did get a good application and that fixed the problem.
 
In
Rick said:
The short version appears to be that they simply had to re-apply
their rule set to the firewall. He was getting errors that said
something like "natted address is showing as un-natted" or something
like that. His firewall thought that the natted IP's that were coming
to it were actual IP's and reported as so. It appears that his rule
doesn't allow that. He tried an experiment that failed. When he
reverted back, the problems quit happening so I think he just didn't
get a good application on his rule set. When he reverted back, he did
get a good application and that fixed the problem.
Click to expand...

Thanks for elaborating on the solution. I see firewall problems more with AD
communications or lack of, due to AD's 29+ ports it requires opened.
Firewall configurations can hurt communications when not implemented
properly.

Thanks!

Ace
 
Back
Top