Strange DNS forwarding issues

  • Thread starter Thread starter cqmman
  • Start date Start date
C

cqmman

Hello,

I have a domain controller running Windows 2000, and DNS. The DNS is
configured with about five forwards. The two on the top of the list
are external addresses (to COMPANYA), and the others are internal.

I also have a windows 2003 server which is a member of the domain (not
a DC) and configured to point to the DC for DNS.

I am having a strange problem where intermittently (maybe for a few
hours at a time) if I try and ping servera.companya, it cannot be
resolved (unkonwn host). If I use nslookup, the request times out.

If however, I use nslookup, connect directly to the server at the top
of the forwarding list, and then try and resovle the name, it resolves
fine.

So, the server that I forwarding to can resolve the name, but my local
DC resolves sometimes and not others. There are not changes being made
to the network at these times as far as we are aware, and it seems
like the remote side is working (since NSLOOKUP works when connected
directly).

So any ideas?

Cheers
 
Looking into this futher, when I connect to the remote server and do
an NSLOOKUP, I get the following:


server 10.176.1.12
Click to expand...
Default Server: serverb.companya
Address: 10.176.1.12
servera.companya
Click to expand...
Server: [10.176.1.12]
Address: 10.176.1.12

DNS request timed out.
timeout was 10 seconds.
Name: serverb.companyb
Address: 10.176.1.12
Aliases: servera.companya

So why do I have a timeout and an address? Is it that the timeout is
an attempt from the local DNS? With the server command, I thought it
would try the remote server first?

Cheers
 
cqmman said:
Looking into this futher, when I connect to the remote server and do
an NSLOOKUP, I get the following:


server 10.176.1.12
Click to expand...
Default Server: serverb.companya
Address: 10.176.1.12
servera.companya
Click to expand...
Server: [10.176.1.12]
Address: 10.176.1.12

DNS request timed out.
timeout was 10 seconds.
Name: serverb.companyb
Address: 10.176.1.12
Aliases: servera.companya

So why do I have a timeout and an address? Is it that the timeout is
an attempt from the local DNS? With the server command, I thought it
would try the remote server first?
Click to expand...

The Problem with the way you have forwarding set up is that in Windows 2000,
which does not support conditional forwarding, if you have a list of
forwarders it will go through the forwarding list one time, or use it
forwarding timeout setting, to decide when to use root hints. If any one of
the servers being forwarded to answers (Either negatively or positively) the
query stops. It will not go through the list just to find a DNS server that
answer positively. Any answer is acceptable for the DNS server, even if it
uses recursion. Under Windows 2000, if there are any domains it must answer
for that cannot be found by going to the Root Servers, you would need a
Secondary zone for that domain, and all forwarders would need to be external
DNS servers that can resolve all internet names.
Windows Server 2003, introduced Conditional Forwarding and Stub zones for
this situation.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
The Problem with the way you have forwarding set up is that in Windows 2000,
which does not support conditional forwarding, if you have a list of
forwarders it will go through the forwarding list one time, or use it
forwarding timeout setting, to decide when to use root hints. If any one of
the servers being forwarded to answers (Either negatively or positively) the
query stops. It will not go through the list just to find a DNS server that
answer positively. Any answer is acceptable for the DNS server, even if it
uses recursion. Under Windows 2000, if there are any domains it must answer
for that cannot be found by going to the Root Servers, you would need a
Secondary zone for that domain, and all forwarders would need to be external
DNS servers that can resolve all internet names.
Windows Server 2003, introduced Conditional Forwarding and Stub zones for
this situation.
Click to expand...


Thanks Kevin. I thought that Windows 2000, even though it doesn't
forward conditionally, would still use the first server in the list
though (this being one of the servers that can authenticate the
address)? Just to confirm, is this not the case, and can Windows 2000
go to a server other than the first in the list, even if the first in
the responds?

Cheers
 
cqmman said:
Thanks Kevin. I thought that Windows 2000, even though it doesn't
forward conditionally, would still use the first server in the list
though (this being one of the servers that can authenticate the
address)? Just to confirm, is this not the case, and can Windows 2000
go to a server other than the first in the list, even if the first in
the responds?
Click to expand...

Actually, the DNS service will stick to the Forwarder that provides an
answer, no matter where it is in the list, if one forwarder times out(no
answer) it will move to the next forwarder in the list, if the next
forwarder provides an answer it uses it until it times out. The problem for
you is, that it may not get back around to the first forwarder, before the
Forwarding timeout expires, and it starts using recursion itself and goes to
the root hints.

Now, if you check the box "Do not use recursion" the DNS server will use
only its forwarders, and will not use root hints. But this cannot guarantee
that one of the other servers being used as a forwarder answer the query,

I recommend that if there is a domain that cannot be reached through the
internet root, that you add a secondary zone for that domain on the Win2k
DNS server.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
Brilliant.

Using your information, I removed some unecessary forwarders, and it
seems to be fine now. Will know in a few days, but so far, all looking
good.

Thanks VM!
 
Back
Top