Name Lookup latency when resolving Internet names

Vince C. · Sep 3, 2004

Hi.

I've installed W2K Adv. server (SP4) with Active Directory. It also works as
an Internet gateway using RRAS/NAT and has 2 network cards. I've also
removed the root entry in the DNS forward lookup zones to enable DNS
forwarding to my ISP. Everything seems properly configured.

However when I try a name resolution using nslookup to external addresses
there is always a time-out two or three times until results are displayed.
The same problem occurs on any workstation that is connected to the private
LAN as well as on the server itself.

Is it a DNS caching problem? Is it a known issue? I don't have that problem
when I boot with Windows XP with Internet connection sharing hence it's
certainly not a problem related to my ISP.

Thanks for any help.

Vince C.

Roland Hall · Sep 6, 2004

in message : I've installed W2K Adv. server (SP4) with Active Directory. It also works
as
: an Internet gateway using RRAS/NAT and has 2 network cards. I've also
: removed the root entry in the DNS forward lookup zones to enable DNS
: forwarding to my ISP. Everything seems properly configured.
:
: However when I try a name resolution using nslookup to external addresses
: there is always a time-out two or three times until results are displayed.
: The same problem occurs on any workstation that is connected to the
private
: LAN as well as on the server itself.
:
: Is it a DNS caching problem? Is it a known issue? I don't have that
problem
: when I boot with Windows XP with Internet connection sharing hence it's
: certainly not a problem related to my ISP.

Please provide ipconfig /all of the affected system.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382

Vince C. · Oct 19, 2004

Roland Hall said:
in message : I've installed W2K Adv. server (SP4) with Active Directory. It also works as
: an Internet gateway using RRAS/NAT and has 2 network cards. I've also
: removed the root entry in the DNS forward lookup zones to enable DNS
: forwarding to my ISP. Everything seems properly configured.
:
: However when I try a name resolution using nslookup to external addresses
: there is always a time-out two or three times until results are displayed.
: The same problem occurs on any workstation that is connected to the
private
: LAN as well as on the server itself.
:
: Is it a DNS caching problem? Is it a known issue? I don't have that
problem
: when I boot with Windows XP with Internet connection sharing hence it's
: certainly not a problem related to my ISP.

Please provide ipconfig /all of the affected system.

Sorry for the delay, Roland. I've just seen your reply. Here's the result (my
system is French so if you want me to translate it, please tell me). The LAN
adapter has now a second IP address, 192.168.0.1, which is required to
communicate with a Wireless device:

C:\>ipconfig /all

Configuration IP de Windows 2000

Nom de l'hôte . . . . . . . . . . : athena
Suffixe DNS principal . . . . . . : mydomain.local
Type de noeud. . . . . . . . . . . : Diffuser (Broadcast)
Routage IP activé . . . . . . . . : Oui
Proxy WINS activé . . . . . . . . : Non
Liste de recherche de suffixe DNS : mydomain.local
teledisnet.be

Ethernet carte Connexion au réseau local (LAN) :

Suffixe DNS spéc. à la connexion. : mydomain.local
Description . . . . . . . . . . . : Carte Realtek RTL8139(A) PCI Fast
Ethernet #2
Adresse physique. . . . . . . . . : 00-50-BF-7B-C5-BD
DHCP activé . . . . . . . . . . . : Non
Adresse IP. . . . . . . . . . . . : 192.168.0.1
Masque de sous-réseau . . . . . . : 255.255.255.0
Adresse IP. . . . . . . . . . . . : 10.10.1.1
Masque de sous-réseau . . . . . . : 255.255.255.0
Passerelle par défaut . . . . . . :
Serveurs DNS. . . . . . . . . . . : 10.10.1.1
NetBIOS sur Tcpip . . . . . . . . : Désactivé

Ethernet carte Internet :

Suffixe DNS spéc. à la connexion. : teledisnet.be
Description . . . . . . . . . . . : Carte Realtek RTL8139(A) PCI Fast
Ethernet
Adresse physique. . . . . . . . . : 00-40-F4-47-B1-1B
DHCP activé . . . . . . . . . . . : Oui
Autoconfiguration activée . . . . : Oui
Adresse IP. . . . . . . . . . . . : 217.117.49.63
Masque de sous-réseau . . . . . . : 255.255.254.0
Passerelle par défaut . . . . . . : 217.117.48.1
Serveur DHCP. . . . . . . . . . . : 217.117.33.133
Serveurs DNS. . . . . . . . . . . : 217.117.33.134
217.117.32.3
NetBIOS sur Tcpip . . . . . . . . : Désactivé
Bail obtenu . . . . . . . . . . . : mardi 19 octobre 2004 19:39:50
Bail expire . . . . . . . . . . . : mercredi 20 octobre 2004 5:39:50

Vince C.

Phillip Windell · Oct 20, 2004

Vince C. said:
Sorry for the delay, Roland. I've just seen your reply. Here's the result (my
system is French so if you want me to translate it, please tell me). The LAN
adapter has now a second IP address, 192.168.0.1, which is required to
communicate with a Wireless device:

You can't dependably use two IP#s from different subnets on the same NIC.
All IP#s on a NIC are supposed to be the same subnet,....each subnet is
supposed to use a different physical NIC.

Phillip Windell · Oct 20, 2004

Phillip Windell said:
,....each subnet is
supposed to use a different physical NIC.

One exception to that would be a VLAN capable NIC that has the ability to
deal with Frame Tagging. But I don't think that applies here,...I'm just
trying to be accurate.

Vince C. · Oct 20, 2004

Phillip Windell said:
One exception to that would be a VLAN capable NIC that has the ability to
deal with Frame Tagging. But I don't think that applies here,...I'm just
trying to be accurate.

Well, I must admit my company has a server which has a NIC with two IPs; one
class A, one class B. They're used for routing and it works perfectly. I
personnally used this for routing as well on several machines.

However my problem occurred even before I added a second IP to the NIC.

Vince C.

Phillip Windell · Oct 21, 2004

Vince C. said:
Well, I must admit my company has a server which has a NIC with two IPs; one
class A, one class B. They're used for routing and it works perfectly. I
personnally used this for routing as well on several machines.

However my problem occurred even before I added a second IP to the NIC.

There are all kinds of things in the world of computers that
"kinda-sorta-work-mostly" even when they aren't done right,...until one day
when they don't anymore.

I stand by my recommendation.

Roland Hall · Oct 23, 2004

in message : "Phillip Windell" <@.> a écrit dans le message de : %[email protected]...
: > : >>,....each subnet is
: >> supposed to use a different physical NIC.
: >
: > One exception to that would be a VLAN capable NIC that has the ability
to
: > deal with Frame Tagging. But I don't think that applies here,...I'm
just
: > trying to be accurate.
:
: Well, I must admit my company has a server which has a NIC with two IPs;
one
: class A, one class B. They're used for routing and it works perfectly. I
: personnally used this for routing as well on several machines.
:
: However my problem occurred even before I added a second IP to the NIC.

Hi Vince...

I'm concerned with the fact that you're using a private network and a public
network on the same server.
If this an ISA box, one might be able to understand but even then, I
wouldn't put my ISA box on the border of my network.

You have:

Net -> [outside NIC - W2K Server - inside NIC] -> LAN
Net -> [217.* - W2K Server - 192.*/10.* ->] LAN

Why is the wireless device on a different internal subnet?
Why is a router not involved [VLAN] to connect the two internal subnets?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382

Vince C. · Oct 31, 2004

Phillip Windell said:
There are all kinds of things in the world of computers that
"kinda-sorta-work-mostly" even when they aren't done right,...until one day
when they don't anymore.

Phillip,

1. More than 1 IP on a NIC is a feature that is fully supported since NT4.
I've never seen any recommendation of that kind.

2. I had installed W2K on the same machine and setup exactly the same
functionalities (same hardware, same box, same NICs, same ISP). I didn't
experience suc latencies.

3. I did experience DNS latencies even ****before**** I put a second IP to
my LAN NIC on the server. So I don't think removing it will solve my
problem, right?

Vince C.

Vince C. · Oct 31, 2004

Roland Hall said:
Hi Vince...

I'm concerned with the fact that you're using a private network and a public
network on the same server.
If this an ISA box, one might be able to understand but even then, I
wouldn't put my ISA box on the border of my network.

You have:

Net -> [outside NIC - W2K Server - inside NIC] -> LAN
Net -> [217.* - W2K Server - 192.*/10.* ->] LAN

Why is the wireless device on a different internal subnet?
Why is a router not involved [VLAN] to connect the two internal subnets?

The second IP is used in case the wireless AP is reset. I can change its IP,
of course. But when it's reset it gets 192.168.<something I have to look in
the book for I don't remember>.

So for conveniency I left the "fallback" IP on the NIC. But, I repeat, my
problems occurred before I managed to do this. They occurred as soon as I
finished W2K adv. server confiuration. Every NIC had only *one* IP at that
time.

So I don't understand why we are talking on this particular "issue". Ok,
adding a second IP with a different subnet to my NIC could result in some
troubles of whatever kind. But those troubles would never have occurred
***before*** that moment, would they?

So the DNS latencies I'm seeing are *not* due to having a second IP on my
NIC, are they?

Vince C.

Roland Hall · Nov 1, 2004

in message : "Roland Hall" <nobody@nowhere> a écrit dans le message de
: : > Hi Vince...
: >
: > I'm concerned with the fact that you're using a private network and a
: public
: > network on the same server.
: > If this an ISA box, one might be able to understand but even then, I
: > wouldn't put my ISA box on the border of my network.
: >
: > You have:
: >
: > Net -> [outside NIC - W2K Server - inside NIC] -> LAN
: > Net -> [217.* - W2K Server - 192.*/10.* ->] LAN
: >
: > Why is the wireless device on a different internal subnet?
: > Why is a router not involved [VLAN] to connect the two internal subnets?
:
: The second IP is used in case the wireless AP is reset. I can change its
IP,
: of course. But when it's reset it gets 192.168.<something I have to look
in
: the book for I don't remember>.
:
: So for conveniency I left the "fallback" IP on the NIC. But, I repeat, my
: problems occurred before I managed to do this. They occurred as soon as I
: finished W2K adv. server confiuration. Every NIC had only *one* IP at that
: time.
:
: So I don't understand why we are talking on this particular "issue".

Probably because that is the way you have it now. It is an unknown since
you are the first I have heard of doing that. I have bound multiple IP
addresses on the same NIC before but not on different networks.

: Ok,
: adding a second IP with a different subnet to my NIC could result in some
: troubles of whatever kind. But those troubles would never have occurred
: ***before*** that moment, would they?

Hard to say what would have occurred before. However, it is also hard to
test the way they are configured currently.

: So the DNS latencies I'm seeing are *not* due to having a second IP on my
: NIC, are they?

I have no idea. Let's look at some other questions:
1. Why have you not gone back to a single IP on a single NIC to test?
2. Why is this being done in production?

To MSFT, a private LAN is separate from a public LAN. Even before active
directory, most of us knew DNS on a private LAN should be separate from a
public LAN. They don't need to know about each other. Your clients get
their DNS from the local DNS server. If they request a public address, the
DNS can, either through root hosts or (a) forwarder(s), forward the request
to be resolved for the public address. It will then cache the response so
subsequent queries, within the ttl for the cached entry, will not have to be
forwarded.

Your local DNS name should be dotted. ex. domain.local No servers or
workstations should have in their network settings looking at a public DNS
server. I believe with ISA, this does not apply to the public NIC, just the
private one.

Why is this included on the LAN NIC settings?

Liste de recherche de suffixe DNS : mydomain.local
teledisnet.be
Also, are you running in native mode?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382

Vince C. · Nov 1, 2004

"Roland Hall" <nobody@nowhere> a écrit dans le message de ul5utX%[email protected]...
[...]

: So the DNS latencies I'm seeing are *not* due to having a second IP on my
: NIC, are they?

I have no idea. Let's look at some other questions:
1. Why have you not gone back to a single IP on a single NIC to test?
2. Why is this being done in production?

1. Because I did already long before I posted. It didn't change anything. And
since DNS latencies occurred before - yes I repeat again - I put a second IP to
the LAN NIC... Ok, I've just once again, changed my wireless IP to one in my LAN
subnet, removed the second IP on my LAN NIC, rebooted (just in case) and...
nothing has changed. You won't tell me I didn't want to please you ;-).

Ethernet carte Réseau local :

Connection specific DNS : mydomain.local
Description . . . . . . . . . . . : Carte Realtek RTL8139(A) PCI Fast
Ethernet #2
Physical address. . . . . . . . . : 00-50-BF-7B-C5-BD
DHCP enabled . . . . . . . . . . . : No
IP Address . . . . . . . . . . . . : 10.10.1.1
Subnet mask . . . . . . : 255.255.255.0
Default gateway . . . . . . :
DNS servers. . . . . . . . . . . : 10.10.1.1
NetBIOS over Tcpip . . . . . . . . : Disabled

2. Oh, production, production... it's a big word. It's just a test server not a
production server. I set it up for training purposes mainly.

To MSFT, a private LAN is separate from a public LAN. Even before active
directory, most of us knew DNS on a private LAN should be separate from a
public LAN. They don't need to know about each other. Your clients get
their DNS from the local DNS server. If they request a public address, the
DNS can, either through root hosts or (a) forwarder(s), forward the request
to be resolved for the public address. It will then cache the response so
subsequent queries, within the ttl for the cached entry, will not have to be
forwarded.

Your local DNS name should be dotted. ex. domain.local No servers or
workstations should have in their network settings looking at a public DNS
server. I believe with ISA, this does not apply to the public NIC, just the
private one.

My - test - LAN is a private one. I have installed W2K server with Active
Directory, native mode as I have no WinNT workstation. Since AD requires DNS,
there is no other choice. And I wanted to try Active Directory. And my domain,
mydomain.local - which is not the real one but... you know - is dotted. Just
like W2K adv. server Setup Wizard told me it had to be when I installed the
server.

Why is this included on the LAN NIC settings?

Liste de recherche de suffixe DNS : mydomain.local
teledisnet.be

teledisnet.be is my ISP's DNS, on the public NIC (DHCP client). mydomain.local
is my local domain.

Also, are you running in native mode?

Yes.

But what if we got back to my problem? On the server itself I can type "nslookup
www.microsoft.com" three times until I get a non-timed-out response. It's just
as if DNS results were *not* cached. OTOH there is no "cached results" in the
DNS tree on the server DNS, like I see on my company's domain controller. Note
the latter doesn't run AD natively but mixed. Does it help?

Vince C.

Roland Hall · Nov 6, 2004

in message : "Roland Hall" <nobody@nowhere> a écrit dans le message de : ul5utX%[email protected]...
: [...]
: > : So the DNS latencies I'm seeing are *not* due to having a second IP on
my
: > : NIC, are they?
: >
: > I have no idea. Let's look at some other questions:
: > 1. Why have you not gone back to a single IP on a single NIC to test?
: > 2. Why is this being done in production?
:
: 1. Because I did already long before I posted. It didn't change anything.
And
: since DNS latencies occurred before - yes I repeat again - I put a second
IP to
: the LAN NIC... Ok, I've just once again, changed my wireless IP to one in
my LAN
: subnet, removed the second IP on my LAN NIC, rebooted (just in case)
and...
: nothing has changed. You won't tell me I didn't want to please you ;-).

I'd never say that. (O:=

: Ethernet carte Réseau local :
:
: Connection specific DNS : mydomain.local
: Description . . . . . . . . . . . : Carte Realtek RTL8139(A) PCI
Fast
: Ethernet #2
: Physical address. . . . . . . . . : 00-50-BF-7B-C5-BD
: DHCP enabled . . . . . . . . . . . : No
: IP Address . . . . . . . . . . . . : 10.10.1.1
: Subnet mask . . . . . . : 255.255.255.0
: Default gateway . . . . . . :
: DNS servers. . . . . . . . . . . : 10.10.1.1
: NetBIOS over Tcpip . . . . . . . . : Disabled
:

Please show the full ipconfig /all.

: My - test - LAN is a private one. I have installed W2K server with Active
: Directory, native mode as I have no WinNT workstation. Since AD requires
DNS,
: there is no other choice. And I wanted to try Active Directory. And my
domain,
: mydomain.local - which is not the real one but... you know - is dotted.
Just
: like W2K adv. server Setup Wizard told me it had to be when I installed
the
: server.
:
:
: > Why is this included on the LAN NIC settings?
: >
: > Liste de recherche de suffixe DNS : mydomain.local
: > teledisnet.be
:
: teledisnet.be is my ISP's DNS, on the public NIC (DHCP client).
mydomain.local
: is my local domain.

Please uncheck Append parent suffixes of the primary DNS suffix and Register
this connection's addresses in DNS on the public NIC and remove
teledisnet.be on the internal NIC.

On your forwarder, is the Do not use recursion checkbox unchecked?

: But what if we got back to my problem? On the server itself I can type
"nslookup
: www.microsoft.com" three times until I get a non-timed-out response. It's
just
: as if DNS results were *not* cached. OTOH there is no "cached results" in
the
: DNS tree on the server DNS, like I see on my company's domain controller.
Note
: the latter doesn't run AD natively but mixed. Does it help?

Perhaps you should review this document and see if there is anything you
have missed or is different.
http://www.isaserver.org/tutorials/Installing_ISA_Server_on_a_Domain_Controller.html

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382

Vince C. · Nov 6, 2004

"Roland Hall" <nobody@nowhere> a écrit dans le message de eNe6gc%[email protected]...
[...]

Please show the full ipconfig /all. [...]
Please uncheck Append parent suffixes of the primary DNS suffix and Register
this connection's addresses in DNS on the public NIC
Done.

and remove teledisnet.be on the internal NIC.

It was already done. Local NIC is "mydomain.local"

On your forwarder, is the Do not use recursion checkbox unchecked?

Yep, it's unchecked.

Perhaps you should review this document and see if there is anything you
have missed or is different.
http://www.isaserver.org/tutorials/Installing_ISA_Server_on_a_Domain_Controller.html

" A basic rule of thumb is to never trust the Active Directory DNS Wizard and do
it yourself. "

ROTFLMAO. M$, why provide a wizard if everything has to be done manually? I
should have known that since the very first day I ever installed a server that
way... <sigh>.

Ok. I think we'll stop here. This is the second time I reinstalled my test
server for good following exactly the same steps I had put on my check list. And
I'm not going to reinstall it again.

It's not the first time I ever install a server and I'm starting to get used to
it. As for this particular case I think I'll try an alternate solution. And
probably not one from MS... If I can't trust what I'm working on, there no point
in going on that direction.

Thanks a lot for your kind help and taking your time.

Kind regards,
Vince C.

Roland Hall · Nov 8, 2004

in message : "Roland Hall" <nobody@nowhere> a écrit dans le message de : eNe6gc%[email protected]...
: [...]
: > Please show the full ipconfig /all.
: [...]
: > Please uncheck Append parent suffixes of the primary DNS suffix and
Register
: > this connection's addresses in DNS on the public NIC
:
: Done.
:
:
: > and remove teledisnet.be on the internal NIC.
:
: It was already done. Local NIC is "mydomain.local"
:
:
: > On your forwarder, is the Do not use recursion checkbox unchecked?
:
: Yep, it's unchecked.
:
:
: > Perhaps you should review this document and see if there is anything you
: > have missed or is different.
: >
http://www.isaserver.org/tutorials/Installing_ISA_Server_on_a_Domain_Controller.html
:
: " A basic rule of thumb is to never trust the Active Directory DNS Wizard
and do
: it yourself. "
:
: ROTFLMAO. M$, why provide a wizard if everything has to be done manually?
I
: should have known that since the very first day I ever installed a server
that
: way... <sigh>.
:
: Ok. I think we'll stop here. This is the second time I reinstalled my test
: server for good following exactly the same steps I had put on my check
list. And
: I'm not going to reinstall it again.
:
: It's not the first time I ever install a server and I'm starting to get
used to
: it. As for this particular case I think I'll try an alternate solution.
And
: probably not one from MS... If I can't trust what I'm working on, there no
point
: in going on that direction.
:
: Thanks a lot for your kind help and taking your time.

Ok Vince. You are free to do as you please and hopefully things will work
out however, I'll offer this:

1. The Wizard is not necessarily for everyone and IMHO, is quite basic. A
wizard generally limits your abilities and therefore custom is for those who
are experienced. The wizard usually slows me down.
2. If this didn't actually work, everyone would be complaining. I have
found when something doesn't work, there are few options:
a. Educate myself on the issue.
b. Recheck my configuration.
c. Ask for help.
d. Punt.

A and B usually work together and I have never had to go to D.

You can use a sniffer and monitor the messaging and see exactly what is
happening. What it sounds like is that the wrong DNS server is attempting
to resolve the name. Also, when you make changes, you might want to flush
your cache to make sure your DNS is not poisoned.

Good luck.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382