Root DNS Server

[Guest]

Here is the deal. Needed to migrate DNS off a Unix DNS server. Started with
a stand alone 2003 member server, installed DNS, Created secondary zone,
transfered the zone from the Unix server, made it a primary zone and dcpromo
the box. The transfered zone name will also be the name of the new domain.
Since all clients were using the Unix DNS and have the suffix configured.
Here is the main problem. Since I dcpomo the DNS server, it is now the root
server and will not use the root hints. I can't use IP forwarding becuse we
do not want to use our ISP's DNS, due to reliablility and performance. I
have read that i needed to delete the DNS zone to allow the usage of root
hints, but I cannot due to it is my AD zone. Any suggetions would be helpful
on configuring the zone not to be the root server.

Thanks,

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Here is the deal. Needed to migrate DNS off a Unix DNS
server. Started with a stand alone 2003 member server,
installed DNS, Created secondary zone, transfered the
zone from the Unix server, made it a primary zone and
dcpromo the box. The transfered zone name will also be
the name of the new domain. Since all clients were using
the Unix DNS and have the suffix configured. Here is the
main problem. Since I dcpomo the DNS server, it is now
the root server and will not use the root hints. I
can't use IP forwarding becuse we do not want to use our
ISP's DNS, due to reliablility and performance. I have
read that i needed to delete the DNS zone to allow the
usage of root hints, but I cannot due to it is my AD
zone. Any suggetions would be helpful on configuring the
zone not to be the root server.

Thanks,

Delete the "." forward lookup zone in your DNS server.

 

[Guest]

Thanks Kevin,

The only problem is that there is not the "." zone in Forward Lookup zone.
The root hints tab is available so it really is not a root dns server. But I
can only get external dns resolution if I configure forwarders.

Thanks again,

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Thanks Kevin,

The only problem is that there is not the "." zone in
Forward Lookup zone. The root hints tab is available so
it really is not a root dns server. But I can only get
external dns resolution if I configure forwarders.

Are the root hints resolved to IP addresses?
Using nslookup can you resolve the NS records for the internet roots?
Here's the commands:
nslookup (hit enter)
set type=ns (hit enter)
.. (hit enter)

It should return this if using the ICANN root:

Non-authoritative answer:
(root) nameserver = K.ROOT-SERVERS.NET
(root) nameserver = L.ROOT-SERVERS.NET
(root) nameserver = M.ROOT-SERVERS.NET
(root) nameserver = I.ROOT-SERVERS.NET
(root) nameserver = E.ROOT-SERVERS.NET
(root) nameserver = D.ROOT-SERVERS.NET
(root) nameserver = A.ROOT-SERVERS.NET
(root) nameserver = H.ROOT-SERVERS.NET
(root) nameserver = C.ROOT-SERVERS.NET
(root) nameserver = G.ROOT-SERVERS.NET
(root) nameserver = F.ROOT-SERVERS.NET
(root) nameserver = B.ROOT-SERVERS.NET
(root) nameserver = J.ROOT-SERVERS.NET

K.ROOT-SERVERS.NET internet address = 193.0.14.129
L.ROOT-SERVERS.NET internet address = 198.32.64.12
M.ROOT-SERVERS.NET internet address = 202.12.27.33
I.ROOT-SERVERS.NET internet address = 192.36.148.17
E.ROOT-SERVERS.NET internet address = 192.203.230.10
D.ROOT-SERVERS.NET internet address = 128.8.10.90
A.ROOT-SERVERS.NET internet address = 198.41.0.4
H.ROOT-SERVERS.NET internet address = 128.63.2.53
C.ROOT-SERVERS.NET internet address = 192.33.4.12
G.ROOT-SERVERS.NET internet address = 192.112.36.4
F.ROOT-SERVERS.NET internet address = 192.5.5.241
B.ROOT-SERVERS.NET internet address = 192.228.79.201
J.ROOT-SERVERS.NET internet address = 192.58.128.30

 

[Guest]

Kevin,

Ran the nslookup and got no output for the ICANN root.

Any ideas?

 

[Jonathan de Boyne Pollard]

I have read that i needed to delete the DNS zone to allow the usage of root hints, [...]



If you have, what you read was wrong.  The right answer is somewhat different.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Kevin,

Ran the nslookup and got no output for the ICANN root.

So the Root Hints are not listed or resolved on the root hints tab?
Replace the cache.dns file or manually enter the NS records and IP addresses
I previously posted on the Root Hints tab.

 

[Guest]

Okay, I have re-entered the root hints servers and done the nslookup and they
have resolved. I have restarted server and it still doesn't seem to want to
use the root hints. I can resolve everything that is in my windows domain
zone, but still will not resolve using root hints.

Thanks,

Mike

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Okay, I have re-entered the root hints servers and done
the nslookup and they have resolved. I have restarted
server and it still doesn't seem to want to use the root
hints. I can resolve everything that is in my windows
domain zone, but still will not resolve using root hints.

Do you have "Do not use recursion" checked on the forwarders tab?

How can you tell it is not using the root hints?

 

[Guest]

Recursion is not checked. I just assumed since there were not forwarders
listed that it would use root hints.

Okay, I'll bite. How can I tell if I am using root hints or not.

What could I do to troubleshoot besides nslookup.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Recursion is not checked. I just assumed since there
were not forwarders listed that it would use root hints.

Okay, I'll bite. How can I tell if I am using root hints
or not.

What could I do to troubleshoot besides nslookup.

Download Netdig from www.mvptools.com , unzip it to a local drive and double
click the Netdig.exe. (.NET Framework available from Windows Update
required) This will open up a GUI tool for testing DNS, using the trace
option you can see if it gets referrals from the root servers. Root servers
can only give referrals and cannot be used as forwarders because the do not
support recursion. Make sure Disable recursion is not checked on the
Advanced tab.

If you use the trace option you should get an answer like this, except yours
will probably be from the ICANN Root. (My servers serve the ORSC Root.)
NetDig 2.5 >> microsoft.com. a /trace

Query DNS Server Server Reply
----------------------------------- -----------------------------------
.. -> a.root-servers.orsc.
a.root-servers.orsc. -> a.gtld-servers.net.
a.gtld-servers.net. -> ns1.msft.net.
ns1.msft.net. microsoft.com.

ns1.msft.net. Reply:

 

[Guest]

I get this trace result below.



NetDig 2.5 >> www.microsoft.com. a /trace

Query DNS Server Server Reply
----------------------------------- -----------------------------------
.. -> B.ROOT-SERVERS.NET.

 

[Guest]

I didn't have the DNS IP address configured correctly when I sent the last
error.

I really don't get any response when doing a trace to www.microsoft.com.

I just recieve this error below.

 

[ObiWan]

and performance. I have read that i needed to delete the DNS zone to
allow the usage of root hints, but I cannot due to it is my AD zone. Any
suggetions would be helpful on configuring the zone not to be the root
server.

Please, have a look at this knowledgebase article

http://support.microsoft.com/kb/249868/EN-US/

Regards


--

* ObiWan

Microsoft MVP: Windows Server - Networking
http://www.microsoft.com/communities/MVP/MVP.mspx
http://mvp.support.microsoft.com

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I get this trace result below.



NetDig 2.5 >> www.microsoft.com. a /trace

Query DNS Server Server Reply

It is using the root servers, it just can't get an answer from them or is
not able to contact them.

Do you have a firewall, or have you blocked any ports?

 

[Guest]

Kevin,

From what I have been told, there is nothing blocking this server from
making requests to the root servers.

Why then is it that it works when I enable forwarders. You would think that
if it blocked for one, it would be blocked for both. (with or without
forwarders)

 

[Guest]

I have enabled DNS logging and this is some of the log.


07:25:54 684 PACKET UDP Snd 192.58.128.30 29f4 Q [0000 NOERROR] (0)

07:25:54 684 PACKET UDP Snd 192.112.36.4 31fe Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:25:54 678 PACKET UDP Rcv 192.58.128.30 29f4 R Q [0084 A NOERROR] (0)

07:25:58 5A4 PACKET UDP Snd 192.5.5.241 31fe Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:26:00 684 PACKET UDP Rcv 199.26.229.11 002a Q [0001 D NOERROR]
(3)www(3)msn(3)com(0)

07:26:00 684 PACKET UDP Snd 192.58.128.30 1200 Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:26:02 5A4 PACKET UDP Snd 128.8.10.90 31fe Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:26:02 5A4 PACKET UDP Snd 192.33.4.12 31fe Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:26:03 5A4 PACKET UDP Snd 192.58.128.30 1200 Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:26:06 5A4 PACKET UDP Snd 192.228.79.201 31fe Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:26:06 5A4 PACKET UDP Snd 198.41.0.4 31fe Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:26:07 5A4 PACKET UDP Snd 192.58.128.30 1200 Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:26:07 5A4 PACKET UDP Snd 192.58.128.30 1200 Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:26:10 5A4 PACKET UDP Snd 199.26.229.11 002a R Q [8281 DR SERVFAIL]
(3)www(3)msn(3)com(0)

07:26:11 5A4 PACKET UDP Snd 198.41.0.4 1200 Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:26:11 5A4 PACKET UDP Snd 192.58.128.30 1200 Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:26:15 5A4 PACKET UDP Snd 199.26.229.11 002a R Q [8281 DR SERVFAIL]
(3)www(3)msn(3)com(0)

07:26:59 684 PACKET UDP Rcv 199.26.229.11 c0f9 Q [0001 D NOERROR]
(3)www(3)msn(3)com(0)

07:26:59 684 PACKET UDP Snd 128.63.2.53 220c Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:27:00 684 PACKET UDP Rcv 199.26.229.11 c0f9 Q [0001 D NOERROR]
(3)www(3)msn(3)com(0)

07:27:01 684 PACKET UDP Rcv 199.26.229.11 c0f9 Q [0001 D NOERROR]
(3)www(3)msn(3)com(0)

07:27:03 5A4 PACKET UDP Snd 198.41.0.4 220c Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:27:03 678 PACKET UDP Rcv 199.26.229.11 c0f9 Q [0001 D NOERROR]
(3)www(3)msn(3)com(0)

07:27:07 5A4 PACKET UDP Snd 192.203.230.10 220c Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:27:07 5A4 PACKET UDP Snd 128.8.10.90 220c Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:27:07 684 PACKET UDP Rcv 199.26.229.11 c0f9 Q [0001 D NOERROR]
(3)www(3)msn(3)com(0)

07:27:11 5A4 PACKET UDP Snd 128.8.10.90 220c Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:27:11 5A4 PACKET UDP Snd 192.33.4.12 220c Q [0000 NOERROR]
(3)www(3)msn(3)com(0)

07:27:15 5A4 PACKET UDP Snd 199.26.229.11 c0f9 R Q [8281 DR SERVFAIL]
(3)www(3)msn(3)com(0)

07:27:42 66C EVENT The DNS server wrote version 25790 of zone compaid.com
to file compaid.com.dns.
07:27:46 684 PACKET UDP Rcv 199.26.229.11 dcf8 Q [0001 D NOERROR]
(3)www(9)microsoft(3)com(0)

07:27:46 684 PACKET UDP Snd 198.32.64.12 2216 Q [0000 NOERROR]
(3)www(9)microsoft(3)com(0)

07:27:47 684 PACKET UDP Rcv 199.26.229.11 dcf8 Q [0001 D NOERROR]
(3)www(9)microsoft(3)com(0)

07:27:48 678 PACKET UDP Rcv 199.26.229.11 dcf8 Q [0001 D NOERROR]
(3)www(9)microsoft(3)com(0)

07:27:50 5A4 PACKET UDP Snd 198.41.0.4 2216 Q [0000 NOERROR]
(3)www(9)microsoft(3)com(0)

07:27:50 684 PACKET UDP Rcv 199.26.229.11 dcf8 Q [0001 D NOERROR]
(3)www(9)microsoft(3)com(0)

07:27:54 5A4 PACKET UDP Snd 192.203.230.10 2216 Q [0000 NOERROR]
(3)www(9)microsoft(3)com(0)

07:27:54 5A4 PACKET UDP Snd 128.8.10.90 2216 Q [0000 NOERROR]
(3)www(9)microsoft(3)com(0)

07:27:54 684 PACKET UDP Rcv 199.26.229.11 dcf8 Q [0001 D NOERROR]
(3)www(9)microsoft(3)com(0)

07:27:58 5A4 PACKET UDP Snd 128.8.10.90 2216 Q [0000 NOERROR]
(3)www(9)microsoft(3)com(0)

07:27:58 5A4 PACKET UDP Snd 192.33.4.12 2216 Q [0000 NOERROR]
(3)www(9)microsoft(3)com(0)

07:28:01 684 PACKET UDP Rcv 199.26.229.11 58ff Q [0001 D NOERROR]
(4)auto(6)search(3)msn(3)com(0)

07:28:01 684 PACKET UDP Snd 128.8.10.90 3a1c Q [0000 NOERROR]
(4)auto(6)search(3)msn(3)com(0)

07:28:02 5A4 PACKET UDP Snd 199.26.229.11 dcf8 R Q [8281 DR SERVFAIL]
(3)www(9)microsoft(3)com(0)

07:28:03 678 PACKET UDP Rcv 199.26.229.11 58ff Q [0001 D NOERROR]
(4)auto(6)search(3)msn(3)com(0)

07:28:04 684 PACKET UDP Rcv 199.26.229.11 58ff Q [0001 D NOERROR]
(4)auto(6)search(3)msn(3)com(0)

07:28:05 5A4 PACKET UDP Snd 198.41.0.4 3a1c Q [0000 NOERROR]
(4)auto(6)search(3)msn(3)com(0)

07:28:06 684 PACKET UDP Rcv 199.26.229.11 58ff Q [0001 D NOERROR]
(4)auto(6)search(3)msn(3)com(0)

07:28:09 5A4 PACKET UDP Snd 192.203.230.10 3a1c Q [0000 NOERROR]
(4)auto(6)search(3)msn(3)com(0)

07:28:09 5A4 PACKET UDP Snd 128.8.10.90 3a1c Q [0000 NOERROR]
(4)auto(6)search(3)msn(3)com(0)

07:28:10 684 PACKET UDP Rcv 199.26.229.11 58ff Q [0001 D NOERROR]
(4)auto(6)search(3)msn(3)com(0)

07:28:13 5A4 PACKET UDP Snd 192.203.230.10 3a1c Q [0000 NOERROR]
(4)auto(6)search(3)msn(3)com(0)

07:28:13 5A4 PACKET UDP Snd 192.33.4.12 3a1c Q [0000 NOERROR]
(4)auto(6)search(3)msn(3)com(0)

07:28:17 5A4 PACKET UDP Snd 199.26.229.11 58ff R Q [8281 DR SERVFAIL]
(4)auto(6)search(3)msn(3)com(0)

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Kevin,

From what I have been told, there is nothing blocking
this server from making requests to the root servers.

Why then is it that it works when I enable forwarders.
You would think that if it blocked for one, it would be
blocked for both. (with or without forwarders)

Do you have a firewall or packet filtering enabled?
The only thing I can think of is that you can only send and recieve packets
on 53 UDP to and from your ISP's DNS address.