Recursive DNS Lookups Fail

[Glen Roberts - MCSE MCP+I CCNA]

Here is situation. 3 DC's DC-1.abc.com running Win2K
SP3; DC-2 Running Win2K SP4 ; DC-3 Server 2003.
Recursive lookups work for fine for DC-1 and DC-3 (they
are also all DNS servers) but not for DC-2. I can't do a
NSLOOKUP for microsoft.com or any other external domain.
Internal DNS lookups work fine for the server but all
external address fail with the "timeout 2 seconds" error
message. There is nothing in the firewall that is
blocking it. It is also a domain.com setup. When I do a
test for lookup within DNS is works fine bur when I do a
test for recursive test it fails after about 10 seconds.
I even tried increasing the timeout value to 10 seconds
is it still fails. I had posted before and had said it
was a single label domain but actually it is not. It's
abc.com for example. If I reinstall DNS will it kill the
DC. It also running half of DHCP scopes. Sorry for the
long description.

Any ideas?? It's killing me.

 

[Herb Martin]

Here is situation. 3 DC's DC-1.abc.com running Win2K
SP3; DC-2 Running Win2K SP4 ; DC-3 Server 2003.
Recursive lookups work for fine for DC-1 and DC-3 (they
are also all DNS servers) but not for DC-2. I can't do a
NSLOOKUP for microsoft.com or any other external domain.

Do you have a "." (root) domain in your DNS zone list? (It may
get created automatically so you might not have noticed.)

Delete it. If you needed it you would know -- it's almost a bug.

Second, check the "root hints" and make sure they can reference
the "Internet" roots and not something internal (cause by that root
issue above.) Fix if wrong.

Third: Try Nslookup from one of these DCs to an EXTERNAL
server (ISP etc.) to prove that they can use DNS through the firewalls
in your organization -- I really wouldn't be surprised if you filter this
out -- see next item.

Fourth: Consider FORWARDING since DCs really should not
be doing full recursion ON THE INTERNET.

Internal DNS lookups work fine for the server but all
external address fail with the "timeout 2 seconds" error
message. There is nothing in the firewall that is
blocking it. It is also a domain.com setup. When I do a
test for lookup within DNS is works fine bur when I do a
test for recursive test it fails after about 10 seconds.
I even tried increasing the timeout value to 10 seconds
is it still fails. I had posted before and had said it
was a single label domain but actually it is not. It's
abc.com for example. If I reinstall DNS will it kill the
DC. It also running half of DHCP scopes. Sorry for the
long description.

Single label domains are only a problem for AD, and AD issues like
replication and client authentication, not for DNS name resolution of
OTHER zones (external ones.)

 

[Glen Roberts - MCSE MXP+I CCNA]

There is no "." anywhere. Also I am using forwarders on
all DNS Servers. I am using AT&T's dns servers.
The other thing I noticed is that on dc-1 & dc-3 in my
cached lookups I have cached lookups ==> .(root) ==> and
then the entries for the root hints and also other
folders. Now on DC-2 it looks like this: cached lookups
==> .(root) ==> net ==> then the root hint records and
those folders like biz, com, etc.. etc.. I can't get rid
of it. I even tried to copy the cache.dns from another
server.

 

[Ace Fekay [MVP]]

In

There is no "." anywhere. Also I am using forwarders on
all DNS Servers. I am using AT&T's dns servers.
The other thing I noticed is that on dc-1 & dc-3 in my
cached lookups I have cached lookups ==> .(root) ==> and
then the entries for the root hints and also other
folders. Now on DC-2 it looks like this: cached lookups
==> .(root) ==> net ==> then the root hint records and
those folders like biz, com, etc.. etc.. I can't get rid
of it. I even tried to copy the cache.dns from another
server.

They're dynamically created and cached based on the records TTL. They are
coming from people accessing those sites. Could also be coming from pop-ups
at some sites or could even be from junk mail being received as HTML and the
Outlook client is configured to allow HTML. Can also be from clients using
ICQ and Yahoo instant messenger. Could also be from ActiveX objects running
and hijacking your browser with junk and spyware sending out info.

You can restart the DNS server to clean them out, or rt-click on DNS
servername, clear cache.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

There is no "." anywhere. Also I am using forwarders on
all DNS Servers. I am using AT&T's dns servers.

Then recursive queries from these DCs DIRECTLY shouldn't be a
deal. I would double check the Advanced tab to ensure that
"recursive queries" have not been disabled.

I would also try explicit queries to the FORWARDER (from the
internal DCs) to see if IT IS WORKING correctly.

nslookup www.microsoft.com for.warder.IP.address
and
nslookup -time=10 www.microsoft.com for.warder.IP.address

The other thing I noticed is that on dc-1 & dc-3 in my
cached lookups I have cached lookups ==> .(root) ==> and
then the entries for the root hints and also other
folders. Now on DC-2 it looks like this: cached lookups
==> .(root) ==> net ==> then the root hint records and
those folders like biz, com, etc.. etc.. I can't get rid
of it.

Perfectly normal.

I even tried to copy the cache.dns from another
server.

You might want to quit hacking something you don't understand.
Maybe that's how you messed it up. <grin>
[/QUOTE]